2024

2023

CVE-2023-41447 (v3: 6.1) 28 Sep 2023
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the subcmd parameter in the index.php component.
CVE-2023-41446 (v3: 6.1) 28 Sep 2023
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted script to the title parameter in the index.php component.

2022

2021

CVE-2021-43692 (v3: 6.1) 29 Nov 2021
An unspecified version of youtube-php-mirroring is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.
CVE-2021-43697 (v3: 6.1) 29 Nov 2021
An unspecified version of Workerman-ThinkPHP-Redis is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET{C('VAR_JSONP_HANDLER')] then there is a XSS vulnerability.
CVE-2021-43698 (v3: 6.1) 29 Nov 2021
An unspecified version of phpWhois is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is a XSS vulnerability.
CVE-2021-40541 (v3: 6.1) 11 Oct 2021
PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.
CVE-2021-26303 (v3: 6.1) 29 Jan 2021
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the user-profile.php Full Name field.
CVE-2021-26304 (v3: 6.1) 29 Jan 2021
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter.

2020

CVE-2020-35132 (v3: 5.4) 11 Dec 2020
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.
CVE-2020-13827 (v3: 6.1) 4 Jun 2020
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
CVE-2020-12718 (v3: 5.4) 8 May 2020
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
CVE-2020-12706 (v3: 5.4) 7 May 2020
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
CVE-2020-12708 (v3: 6.1) 7 May 2020
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
CVE-2020-12639 (v3: 6.1) 4 May 2020
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
CVE-2020-12438 (v3: 5.4) 28 Apr 2020
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
CVE-2020-12132 (v3: 6.1) 24 Apr 2020
Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS via a POST request.
CVE-2020-7132 (v3: 5.4) 23 Apr 2020
A potential security vulnerability has been identified in HPE Onboard Administrator. The vulnerability could be remotely exploited to allow Reflected Cross Site Scripting. HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Onboard Administrator. * OA 4.95 (Linux and Windows).
CVE-2020-12054 (v3: 6.1) 23 Apr 2020
The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). Also affected are 16 themes (if the plugin is enabled) by the same author: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.
CVE-2020-5557 (v3: 6.1) 25 Mar 2020
Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-10442 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-popular.php by adding a question mark (?) followed by the payload.
CVE-2020-10443 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-printed.php by adding a question mark (?) followed by the payload.
CVE-2020-10444 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-rated.php by adding a question mark (?) followed by the payload.
CVE-2020-10445 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article.php by adding a question mark (?) followed by the payload.
CVE-2020-10446 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-category.php by adding a question mark (?) followed by the payload.
CVE-2020-10447 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-failed-login.php by adding a question mark (?) followed by the payload.
CVE-2020-10448 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-referrers.php by adding a question mark (?) followed by the payload.
CVE-2020-10449 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-search.php by adding a question mark (?) followed by the payload.
CVE-2020-10450 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-traffic.php by adding a question mark (?) followed by the payload.
CVE-2020-10451 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-user.php by adding a question mark (?) followed by the payload.
CVE-2020-10452 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/save-article.php by adding a question mark (?) followed by the payload.
CVE-2020-10453 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/search-users.php by adding a question mark (?) followed by the payload.
CVE-2020-10454 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/sitemap-generator.php by adding a question mark (?) followed by the payload.
CVE-2020-10455 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/translate.php by adding a question mark (?) followed by the payload.
CVE-2020-10456 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/trash-box.php by adding a question mark (?) followed by the payload.
CVE-2020-10461 (v3: 6.1) 12 Mar 2020
The way comments in article.php (vulnerable function in include/functions-article.php) are handled in Chadha PHPKB Standard Multi-Language 9 allows attackers to execute Stored (Blind) XSS (injecting arbitrary web script or HTML) in admin/manage-comments.php, via the GET parameter cmt.
CVE-2020-10462 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-field.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10463 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10464 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-article.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10465 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10466 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10467 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-comment.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10468 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/edit-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.
CVE-2020-10469 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-departments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10470 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-fields.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10471 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-articles.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10472 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-templates.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10473 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-categories.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10474 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10475 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10476 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10477 (v3: 4.8) 12 Mar 2020
Reflected XSS in admin/manage-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
CVE-2020-10388 (v3: 6.1) 12 Mar 2020
The way the Referer header in article.php is handled in Chadha PHPKB Standard Multi-Language 9 allows attackers to execute Stored (Blind) XSS (injecting arbitrary web script or HTML) in admin/report-referrers.php (vulnerable file admin/include/functions-articles.php).
CVE-2020-10391 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-article.php by adding a question mark (?) followed by the payload.
CVE-2020-10392 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-category.php by adding a question mark (?) followed by the payload.
CVE-2020-10393 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-field.php by adding a question mark (?) followed by the payload.
CVE-2020-10394 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-glossary.php by adding a question mark (?) followed by the payload.
CVE-2020-10395 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-group.php by adding a question mark (?) followed by the payload.
CVE-2020-10396 (v3: 4.8) 12 Mar 2020
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-language.php by adding a question mark (?) followed by the payload.

2019

CVE-2019-11999 (v3: 6.9) 16 Apr 2020
Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates available to resolve the vulnerability in the impacted versions of OCMP. * For OCMP version 4.4.X - please upgrade to OCMP 4.4.8 and then install RP806 * For OCMP 4.5.x please contact HPE Technical Support to obtain the necessary software updates.
CVE-2019-11997 (v3: 6.1) 16 Jan 2020
A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. For other versions, please, contact the product support.
CVE-2019-19908 (v3: 6.1) 20 Dec 2019
phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
CVE-2019-11992 (v3: 6.1) 18 Dec 2019
A security vulnerability in HPE OneView for VMware vCenter 9.5 could be exploited remotely to allow Cross-Site Scripting.
CVE-2019-11656 (v3: 5.4) 4 Oct 2019
Stored XSS vulnerability in Micro Focus ArcSight Logger, affects versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0. This vulnerability could allow Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
CVE-2019-16703 (v3: 6.1) 23 Sep 2019
admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.
CVE-2019-16704 (v3: 4.8) 23 Sep 2019
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.
CVE-2019-14470 (v3: 6.1) 4 Sep 2019
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.
CVE-2019-5403 (v3: 4.8) 9 Aug 2019
A remote multiple cross-site scripting vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.
CVE-2019-3486 (v3: 6.1) 25 Jul 2019
Mitigates a stored cross site scripting issue in ArcSight Security Management Center versions prior to 2.9.1
CVE-2019-3485 (v3: 6.1) 24 Jul 2019
Mitigates a stored cross site scripting issue in ArcSight Logger versions prior to 6.7.1
CVE-2019-1010193 (v3: 6.1) 24 Jul 2019
hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS).
CVE-2019-13472 (v3: 6.1) 9 Jul 2019
PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.
CVE-2019-12507 (v3: 6.1) 31 May 2019
An XSS vulnerability exists in PHPRelativePath (aka Relative Path) through 1.0.2 via the RelativePath.Example1.php path parameter.
CVE-2019-9605 (v3: 5.4) 29 Mar 2019
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.
CVE-2019-3480 (v3: 6.1) 25 Mar 2019
Mitigates a stored/reflected XSS issue in ArcSight Logger versions prior to 6.7.
CVE-2019-10027 (v3: 4.8) 25 Mar 2019
PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.
CVE-2019-10010 (v3: 6.1) 24 Mar 2019
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.
CVE-2019-7660 (v3: 6.1) 7 Mar 2019
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
CVE-2019-7661 (v3: 6.1) 7 Mar 2019
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
CVE-2019-9066 (v3: 5.4) 23 Feb 2019
PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile.
CVE-2019-8435 (v3: 4.8) 18 Feb 2019
admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.
CVE-2019-7402 (v3: 6.1) 5 Feb 2019
An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.
CVE-2019-1000010 (v3: 6.1) 4 Feb 2019
phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4.

2018

CVE-2018-14499 (v3: 6.1) 7 Mar 2019
An issue was found in HYBBS through 2016-03-08. There is an XSS vulnerablity via an article title to post.html.
CVE-2018-20583 (v3: 6.1) 30 Dec 2018
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt).
CVE-2018-20557 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.
CVE-2018-20558 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.
CVE-2018-20559 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.
CVE-2018-20560 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter.
CVE-2018-20561 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter.
CVE-2018-20562 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter.
CVE-2018-20563 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.
CVE-2018-20564 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.
CVE-2018-20565 (v3: 4.8) 28 Dec 2018
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.
CVE-2018-1000860 (v3: 4.7) 20 Dec 2018
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..
CVE-2018-1000870 (v3: 5.4) 20 Dec 2018
PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4.
CVE-2018-19970 (v3: 6.1) 11 Dec 2018
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.
CVE-2018-20012 (v3: 4.8) 10 Dec 2018
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
CVE-2018-20006 (v3: 6.1) 10 Dec 2018
An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulnerability via the title parameter to api.php?c=post&f=save (reachable via the index.php?id=book URI).
CVE-2018-19785 (v3: 6.1) 1 Dec 2018
PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.
CVE-2018-19547 (v3: 6.1) 26 Nov 2018
JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.
CVE-2018-19340 (v3: 6.1) 17 Nov 2018
Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.
CVE-2018-19186 (v3: 6.1) 14 Nov 2018
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.
CVE-2018-19187 (v3: 6.1) 14 Nov 2018
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.
CVE-2018-19188 (v3: 6.1) 14 Nov 2018
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter.
CVE-2018-19189 (v3: 6.1) 14 Nov 2018
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement.
CVE-2018-19190 (v3: 6.1) 14 Nov 2018
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter.
CVE-2018-17964 (v3: 6.1) 17 Oct 2018
Aryanic HighPortal 12.5 has XSS via an Add Tags action.
CVE-2018-18381 (v3: 5.4) 16 Oct 2018
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-16326 (v3: 6.1) 4 Oct 2018
PHP Scripts Mall Olx Clone 3.4.2 has XSS.
CVE-2018-16456 (v3: 6.1) 4 Oct 2018
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a keyword. NOTE: This may overlap with CVE-2018-6870 which has XSS via the Listings Search feature.
CVE-2018-6502 (v3: 6.1) 20 Sep 2018
A potential Reflected Cross-Site Scripting (XSS) Security vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Reflected Cross-site Scripting (XSS).
CVE-2018-17130 (v3: 5.4) 17 Sep 2018
PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,
CVE-2018-17082 (v3: 6.1) 16 Sep 2018
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
CVE-2018-16142 (v3: 6.1) 30 Aug 2018
PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function.
CVE-2018-15605 (v3: 6.1) 24 Aug 2018
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature.
CVE-2018-14869 (v3: 5.4) 6 Aug 2018
PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile.
CVE-2018-7075 (v3: 6.1) 6 Aug 2018
A remote cross-site scripting (XSS) vulnerability was identified in HPE Intelligent Management Center (iMC) PLAT version v7.3 (E0506). The vulnerability is fixed in Intelligent Management Center PLAT 7.3 E0605P04 or subsequent version.
CVE-2018-7090 (v3: 6.1) 6 Aug 2018
HPE XP P9000 Command View Advanced Edition Software (CVAE) has local and remote cross site scripting vulnerability in versions 7.0.0-00 to earlier than 8.60-00 of DevMgr, TSMgr and RepMgr.
CVE-2018-12581 (v3: 6.1) 21 Jun 2018
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
CVE-2018-11487 (v3: 6.1) 26 May 2018
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
CVE-2018-6492 (v3: 6.1) 22 May 2018
Persistent Cross-Site Scripting, and non-persistent HTML Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability could be remotely exploited to allow persistent cross-site scripting, and non-persistent HTML Injection.
CVE-2018-11208 (v3: 4.8) 16 May 2018
** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege.
CVE-2018-10680 (v3: 6.1) 2 May 2018
** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug."
CVE-2018-10547 (v3: 6.1) 29 Apr 2018
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
CVE-2018-10329 (v3: 6.1) 24 Apr 2018
app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.
CVE-2018-9169 (v3: 4.8) 16 Apr 2018
Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.
CVE-2018-9238 (v3: 6.1) 4 Apr 2018
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
CVE-2018-0535 (v3: 6.1) 22 Mar 2018
Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-7736 (v3: 6.1) 6 Mar 2018
** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability.
CVE-2018-7260 (v3: 5.4) 21 Feb 2018
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
CVE-2018-5712 (v3: 6.1) 16 Jan 2018
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.

2017

CVE-2017-6216 (v3: 6.1) 3 Jul 2019
novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution
CVE-2017-18364 (v3: 6.1) 27 Mar 2019
phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter.
CVE-2017-8991 (v3: 5.4) 6 Aug 2018
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
CVE-2017-9002 (v3: 6.1) 6 Aug 2018
All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser.
CVE-2017-6213 (v3: 5.4) 2 Aug 2018
paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution.
CVE-2017-6215 (v3: 5.4) 2 Aug 2018
paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution.
CVE-2017-15640 (v3: 5.4) 21 Apr 2018
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
CVE-2017-5827 (v3: 5.4) 15 Feb 2018
A reflected cross site scripting vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found.
CVE-2017-8953 (v3: 5.4) 15 Feb 2018
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
CVE-2017-5798 (v3: 6.1) 15 Feb 2018
A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).
CVE-2017-5800 (v3: 5.4) 15 Feb 2018
A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Bridge Analytics version v3.0 was found.
CVE-2017-18121 (v3: 6.1) 2 Feb 2018
The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.
CVE-2017-2745 (v3: 6.1) 23 Jan 2018
Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to execute scripts in a user's browser.
CVE-2017-2746 (v3: 6.1) 23 Jan 2018
Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to create a denial of service.
CVE-2017-12810 (v3: 6.1) 30 Dec 2017
PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the admin panel.
CVE-2017-12811 (v3: 6.1) 30 Dec 2017
PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.
CVE-2017-12812 (v3: 6.1) 30 Dec 2017
PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations tab.
CVE-2017-12813 (v3: 6.1) 30 Dec 2017
PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.
CVE-2017-17953 (v3: 6.1) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter.
CVE-2017-17954 (v3: 6.1) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter.
CVE-2017-17955 (v3: 6.1) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter.
CVE-2017-17956 (v3: 6.1) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter.
CVE-2017-17958 (v3: 6.1) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid parameter.
CVE-2017-17937 (v3: 6.1) 28 Dec 2017
Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search.
CVE-2017-14359 (v3: 5.4) 3 Nov 2017
A potential security vulnerability has been identified in HPE Performance Center versions 12.20. The vulnerability could be remotely exploited to allow cross-site scripting.
CVE-2017-14357 (v3: 6.1) 31 Oct 2017
A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow Reflected and Stored Cross-Site Scripting (XSS)
CVE-2017-15872 (v3: 4.8) 24 Oct 2017
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.
CVE-2017-15809 (v3: 6.1) 23 Oct 2017
In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.
CVE-2017-15727 (v3: 5.4) 22 Oct 2017
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
CVE-2017-15728 (v3: 4.8) 22 Oct 2017
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.
CVE-2017-15648 (v3: 6.1) 19 Oct 2017
In PHPSUGAR PHP Melody before 2.7.3, page_manager.php has XSS via the page_title parameter.
CVE-2017-15384 (v3: 6.1) 16 Oct 2017
rate-me.php in Rate Me 1.0 has XSS via the id field in a rate action.
CVE-2017-15305 (v3: 6.1) 15 Oct 2017
XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php.
CVE-2017-14354 (v3: 6.1) 5 Oct 2017
A remote cross-site scripting vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33 could be remotely exploited to allow cross-site scripting.
CVE-2017-12792 (v3: 6.1) 3 Oct 2017
Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.
CVE-2017-13986 (v3: 6.1) 30 Sep 2017
A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows for unintended information when a specific URL is sent to the system.
CVE-2017-14352 (v3: 6.1) 30 Sep 2017
A potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow cross-site scripting.
CVE-2017-14618 (v3: 4.8) 20 Sep 2017
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
CVE-2017-14619 (v3: 6.1) 20 Sep 2017
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
CVE-2017-14534 (v3: 6.1) 18 Sep 2017
Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to location.php, related to PHP_SELF.
CVE-2017-14347 (v3: 6.1) 12 Sep 2017
NexusPHP 1.5.beta5.20120707 has XSS in the returnto parameter to fun.php in a delete action.
CVE-2017-12906 (v3: 6.1) 7 Sep 2017
Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) cheaters.php or (2) confirm_resend.php.
CVE-2017-14070 (v3: 6.1) 31 Aug 2017
Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to ipsearch.php, related to PHP_SELF.
CVE-2017-12984 (v3: 6.1) 21 Aug 2017
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
CVE-2017-12680 (v3: 6.1) 18 Aug 2017
Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type parameter to shoutbox.php.
CVE-2017-12907 (v3: 6.1) 17 Aug 2017
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the url path to usersearch.php.
CVE-2017-12798 (v3: 6.1) 10 Aug 2017
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q parameter to searchsuggest.php.
CVE-2017-12777 (v3: 6.1) 9 Aug 2017
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some parameter to usersearch.php.
CVE-2017-12655 (v3: 6.1) 7 Aug 2017
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the query parameter to log.php in a dailylog action.
CVE-2017-11651 (v3: 6.1) 26 Jul 2017
NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag.

2016

CVE-2016-4392 (v3: 5.4) 6 Aug 2018
A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1.
CVE-2016-4399 (v3: 5.4) 6 Aug 2018
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).
CVE-2016-4400 (v3: 5.4) 6 Aug 2018
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).
CVE-2016-8527 (v3: 6.1) 6 Aug 2018
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.
CVE-2016-9493 (v3: 6.1) 13 Jul 2018
The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.
CVE-2016-8517 (v3: 6.1) 15 Feb 2018
A cross site scripting vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was found.
CVE-2016-8522 (v3: 5.4) 15 Feb 2018
A cross-site scripting vulnerability in HPE Diagnostics version 9.24 IP1, 9.26 , 9.26IP1 was found.
CVE-2016-8532 (v3: 5.4) 15 Feb 2018
A cross site scripting vulnerability in HPE Matrix Operating Environment version 7.6 was found.
CVE-2016-10508 (v3: 6.1) 31 Aug 2017
Multiple cross-site scripting (XSS) vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php.
CVE-2016-6607 (v3: 6.1) 11 Dec 2016
XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6608 (v3: 6.1) 11 Dec 2016
XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.
CVE-2016-6615 (v3: 6.1) 11 Dec 2016
XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.
CVE-2016-9856 (v3: 6.1) 11 Dec 2016
An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-9857 (v3: 6.1) 11 Dec 2016
An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-4393 (v3: 5.4) 28 Oct 2016
HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.
CVE-2016-4380 (v3: 5.4) 8 Sep 2016
Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4851 (v3: 6.1) 2 Sep 2016
Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat before 2016-08-15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-5099 (v3: 6.1) 5 Jul 2016
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.
CVE-2016-5731 (v3: 6.1) 3 Jul 2016
Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.
CVE-2016-5732 (v3: 6.1) 3 Jul 2016
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters.
CVE-2016-5733 (v3: 6.1) 3 Jul 2016
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml.
CVE-2016-5704 (v3: 6.1) 3 Jul 2016
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.
CVE-2016-4363 (v3: 6.1) 8 Jun 2016
HPE Insight Control server deployment allows remote attackers to modify data via unspecified vectors.
CVE-2016-1222 (v3: 6.1) 5 Jun 2016
Cross-site scripting (XSS) vulnerability in Kobe Beauty php-contact-form before 2016-05-18 allows remote attackers to inject arbitrary web script or HTML via a crafted URI.
CVE-2016-2010 (v3: 5.4) 7 May 2016
Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2011.
CVE-2016-2011 (v3: 5.4) 7 May 2016
Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2010.
CVE-2016-2559 (v3: 5.4) 1 Mar 2016
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.
CVE-2016-2560 (v3: 6.1) 1 Mar 2016
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
CVE-2016-2561 (v3: 5.4) 1 Mar 2016
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.
CVE-2016-2045 (v3: 5.4) 20 Feb 2016
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.

2015

CVE-2015-2144 (v3: 4.8) 6 Oct 2017
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) project name parameter to project.php; the (2) use_js parameter to user.php; the (3) use_js parameter to group.php; the (4) Description parameter to status.php; the (5) Description parameter to severity.php; the (6) Regex parameter to os.php; or the (7) Name parameter to database.php.
CVE-2015-2145 (v3: 4.8) 6 Oct 2017
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2015-2148 (v3: 4.8) 6 Oct 2017
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.2 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2015-8375 (v3: 5.4) 25 Sep 2017
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
CVE-2015-5399 (v3: 5.4) 26 Aug 2016
Cross-site scripting (XSS) vulnerability in PHPVibe before 4.21 allows remote authenticated users to inject arbitrary web script or HTML via a comment.
CVE-2015-8935 (v3: 6.1) 7 Aug 2016
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.
CVE-2015-5447 (v3: 5.4) 5 Jan 2016
Cross-site scripting (XSS) vulnerability in HP StoreOnce Backup system software before 3.13.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-7782 (v3: 6.1) 30 Dec 2015
Cross-site scripting (XSS) vulnerability in Let's PHP! Frame high-speed chat before 2015-09-22 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-7783 (v3: 6.1) 27 Dec 2015
Cross-site scripting (XSS) vulnerability in Let's PHP! p++BBS before 4.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-5441 (v2: 4.3) 12 Nov 2015
Multiple cross-site scripting (XSS) vulnerabilities in HP ArcSight Management Center before 2.1 and ArcSight Logger before 6.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-5444 (v2: 4.3) 18 Oct 2015
Multiple cross-site scripting (XSS) vulnerabilities in HP Smart Profile Server Data Analytics Layer (SPS DAL) 2.3 before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-2989 (v2: 4.3) 7 Sep 2015
Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Twit BBS allows remote attackers to inject arbitrary web script or HTML via the imagetitle parameter.
CVE-2015-2982 (v2: 4.3) 22 Aug 2015
Cross-site scripting (XSS) vulnerability in jquery.lightbox-0.5.min.js in PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone 1.0.1 Free and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified input to admin.php.
CVE-2015-6529 (v2: 4.3) 20 Aug 2015
Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php.
CVE-2015-6518 (v2: 4.3) 18 Aug 2015
Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) droptable parameter, or (3) table parameter to phpliteadmin.php.
CVE-2015-2969 (v2: 4.3) 10 Jul 2015
Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to inject arbitrary web script or HTML via the oekakis parameter.
CVE-2015-4135 (v2: 4.3) 28 May 2015
Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2015-2926 (v2: 4.3) 14 Apr 2015
Cross-site scripting (XSS) vulnerability in Php/stats/statsRecent.inc.php in phpTrafficA 2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header to index.php.
CVE-2015-2217 (v2: 4.3) 10 Mar 2015
Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Board (aka myUPB) before 2.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or (2) avatar parameter to profile.php.
CVE-2015-1431 (v2: 4.3) 10 Feb 2015
Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite."
CVE-2015-1052 (v2: 4.3) 15 Jan 2015
Cross-site scripting (XSS) vulnerability in the poll archive in PHPKIT 1.6.6 (Build 160014) allows remote attackers to inject arbitrary web script or HTML via the result parameter to upload_files/pk/include.php.