2020

CVE-2020-16246 20 Oct 2020
The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow attackers to trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client.
CVE-2020-4748 (v3: 6.1) 20 Oct 2020
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517.
CVE-2020-4755 (v3: 5.4) 20 Oct 2020
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595.
CVE-2020-15245 19 Oct 2020
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
CVE-2020-15263 19 Oct 2020
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4.
CVE-2020-15253 14 Oct 2020
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
CVE-2020-13339 (v3: 6.5) 8 Oct 2020
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
CVE-2020-2289 8 Oct 2020
Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2290 8 Oct 2020
Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2292 8 Oct 2020
Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.
CVE-2020-15177 7 Oct 2020
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
CVE-2020-15217 7 Oct 2020
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
CVE-2020-15231 2 Oct 2020
In mapfish-print before version 3.24, a user can use the JSONP support to do a Cross-site scripting.
CVE-2020-26523 (v3: 6.1) 2 Oct 2020
Froala Editor before 3.2.2 allows XSS via pasted content.
CVE-2020-5785 (v3: 6.1) 1 Oct 2020
Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter.
CVE-2020-26114 (v3: 6.1) 25 Sep 2020
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
CVE-2020-26115 (v3: 6.1) 25 Sep 2020
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
CVE-2020-15162 24 Sep 2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15161 24 Sep 2020
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8
CVE-2020-4615 (v3: 5.4) 22 Sep 2020
IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184928.
CVE-2020-15183 17 Sep 2020
SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.
CVE-2020-2256 (v3: 5.4) 16 Sep 2020
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2257 (v3: 5.4) 16 Sep 2020
Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2259 (v3: 5.4) 16 Sep 2020
Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CVE-2020-2262 (v3: 5.4) 16 Sep 2020
Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
CVE-2020-2263 (v3: 5.4) 16 Sep 2020
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2264 (v3: 5.4) 16 Sep 2020
Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2266 (v3: 5.4) 16 Sep 2020
Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-2269 (v3: 5.4) 16 Sep 2020
Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
CVE-2020-2270 (v3: 5.4) 16 Sep 2020
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-15178 15 Sep 2020
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
CVE-2020-15179 15 Sep 2020
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using
CVE-2020-15169 11 Sep 2020
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
CVE-2020-16218 11 Sep 2020
Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.
CVE-2020-25086 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/adminUsers.php.
CVE-2020-25087 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/languages.php.
CVE-2020-25088 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/blog/blogpublish.php.
CVE-2020-25089 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/discounts.php.
CVE-2020-25090 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/publish.php.
CVE-2020-25091 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/vendor/views/add_product.php.
CVE-2020-25092 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in _parts/header.php, within application/views/templates/clothesshop, application/views/templates/greenlabel, and application/views/templates/redlabel.
CVE-2020-25093 (v3: 6.1) 3 Sep 2020
Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in blog.php. within application/views/templates/clothesshop, application/views/templates/onepage, and application/views/templates/redlabel.
CVE-2020-16206 1 Sep 2020
The affected product is vulnerable to stored cross-site scripting, which may allow an attacker to remotely execute arbitrary code to gain access to sensitive data on the N-Tron 702-W / 702M12-W (all versions).
CVE-2020-16210 1 Sep 2020
The affected product is vulnerable to reflected cross-site scripting, which may allow an attacker to remotely execute arbitrary code and perform actions in the context of an attacked user on the N-Tron 702-W / 702M12-W (all versions).
CVE-2020-20628 (v3: 6.1) 31 Aug 2020
controller/controller-comments.php in WP GDPR plugin through 2.1.1 has unauthenticated stored XSS.
CVE-2020-15155 28 Aug 2020
baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php. The issue is fixed in version 4.3.7.
CVE-2020-15159 28 Aug 2020
baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.
CVE-2020-4575 (v3: 6.1) 27 Aug 2020
IBM WebSphere Application Server ND 8.5 and 9.0, and IBM WebSphere Virtual Enterprise 7.0 and 8.0 are vulnerable to cross-site scripting when High Availability Deployment Manager is configured.
CVE-2020-23654 (v3: 5.4) 26 Aug 2020
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."
CVE-2020-23655 (v3: 5.4) 26 Aug 2020
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."

2019

CVE-2019-20900 (v3: 4.8) 13 Jul 2020
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
CVE-2019-19110 (v3: 4.8) 15 Jun 2020
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
CVE-2019-19111 (v3: 6.1) 15 Jun 2020
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.
CVE-2019-19112 (v3: 6.1) 15 Jun 2020
The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php.
CVE-2019-16385 (v3: 6.1) 4 Jun 2020
Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.
CVE-2019-11843 (v3: 6.1) 2 Jun 2020
The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).
CVE-2019-20768 (v3: 5.4) 5 May 2020
ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.
CVE-2019-19514 (v3: 5.4) 5 May 2020
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID.
CVE-2019-19515 (v3: 6.1) 5 May 2020
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings.
CVE-2019-17557 (v3: 5.4) 4 May 2020
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
CVE-2019-7634 (v3: 5.4) 29 Apr 2020
SUAP V2 allows XSS during the update of user information.
CVE-2019-18223 (v3: 5.4) 27 Apr 2020
ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.
CVE-2019-20789 (v3: 4.8) 26 Apr 2020
Croogo before 3.0.7 allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.
CVE-2019-20102 (v3: 6.1) 22 Apr 2020
The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter.
CVE-2019-4644 (v3: 6.1) 17 Apr 2020
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170880.
CVE-2019-4749 (v3: 5.4) 17 Apr 2020
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 173308.
CVE-2019-20752 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7800 before 1.0.2.58, R8900 before 1.0.4.12, R9000 before 1.0.4.12, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK40 before 2.3.0.28, RBS40 before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.
CVE-2019-20756 (v3: 6.1) 16 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects EX7000 before 1.0.0.64, EX6200 before 1.0.3.86, EX6150 before 1.0.0.38, EX6130 before 1.0.0.22, EX6120 before 1.0.0.40, EX6100 before 1.0.2.22, EX6000 before 1.0.0.30, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, R8300 before 1.0.2.94, R7300DST before 1.0.0.62, R7000P before 1.3.0.20, R6900P before 1.3.0.20, R6400 before 1.0.1.32, R6300v2 before 1.0.4.24, R8500 before 1.0.2.94, WNDR3400v3 before 1.0.1.18, and WN2500RPv2 before 1.0.1.52.
CVE-2019-20759 (v3: 5.2) 16 Apr 2020
NETGEAR R9000 devices before 1.0.4.26 are affected by stored XSS.
CVE-2019-20746 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7800 before 1.0.2.58, R8900 before 1.0.4.12, R9000 before 1.0.4.8, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK40 before 2.3.0.28, RBS40 before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.
CVE-2019-20749 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.47, EX6100v2 before 1.0.1.76, EX6150v2 before 1.0.1.76, R7500v2 before 1.0.3.38, R7800 before 1.0.2.52, R8900 before 1.0.4.12, R9000 before 1.0.4.12, WN2000RPTv3 before 1.0.1.32, WN3000RPv3 before 1.0.2.70, and WN3100RPv2 before 1.0.0.66.
CVE-2019-20750 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.47, EX6150v2 before 1.0.1.76, R7500v2 before 1.0.3.38, R7800 before 1.0.2.52, R8900 before 1.0.4.12, R9000 before 1.0.4.12, WN2000RPTv3 before 1.0.1.32, WN3000RPv3 before 1.0.2.70, and WN3100RPv2 before 1.0.0.66.
CVE-2019-20738 (v3: 5.4) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.58, D7800 before 1.0.1.34, JNR1010v2 before 1.1.0.50, JWNR2010v5 before 1.1.0.50, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R6020 before 1.0.0.30, R6080 before 1.0.0.30, R6100 before 1.0.1.16, R6120 before 1.0.0.40, R6700v2 before 1.2.0.14, R6800 before 1.2.0.14, R6900v2 before 1.2.0.14, R7500v2 before 1.0.3.26, R7800 before 1.0.2.46, R9000 before 1.0.4.2, WN3000RPv2 before 1.0.0.52, WN3000RPv3 before 1.0.2.78, WNDR3700v4 before 1.0.2.102, WNDR3700v5 before 1.1.0.54, WNDR4300v1 before 1.0.2.104, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.50, WNR2000v5 before 1.0.0.64, WNR2020 before 1.1.0.50, and WNR2050 before 1.1.0.50. NOTE: this may be a result of an incomplete fix for CVE-2017-18866.
CVE-2019-20742 (v3: 5.2) 16 Apr 2020
NETGEAR WAC510 devices before 8.0.1.3 are affected by stored XSS.
CVE-2019-20743 (v3: 5.2) 16 Apr 2020
NETGEAR WAC510 devices before 8.0.1.3 are affected by stored XSS.
CVE-2019-11999 (v3: 6.9) 16 Apr 2020
Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates available to resolve the vulnerability in the impacted versions of OCMP. * For OCMP version 4.4.X - please upgrade to OCMP 4.4.8 and then install RP806 * For OCMP 4.5.x please contact HPE Technical Support to obtain the necessary software updates.
CVE-2019-20714 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7500v2 before 1.0.3.40, R7800 before 1.0.2.60, R8900 before 1.0.4.12, R9000 before 1.0.4.12, RBK20 before 2.3.0.22, RBR20 before 2.3.0.22, RBS20 before 2.3.0.22, RBK50 before 2.3.0.22, RBR50 before 2.3.0.22, RBS50 before 2.3.0.22, RBS40 before 2.3.0.22, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.
CVE-2019-20715 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6100 before 1.0.0.63, D7800 before 1.0.1.47, DM200 before 1.0.0.61, R7500v2 before 1.0.3.40, R7800 before 1.0.2.60, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, and RBS50 before 2.3.0.32.
CVE-2019-20720 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D7800 before 1.0.1.47, R7500v2 before 1.0.3.38, R7800 before 1.0.2.52, R8900 before 1.0.4.12, R9000 before 1.0.4.12, WN2000RPTv3 before 1.0.1.32, WN3000RPv3 before 1.0.2.70, and WN3100RPv2 before 1.0.0.66.
CVE-2019-20721 (v3: 4.8) 16 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.47, EX2700 before 1.0.1.48, EX6100v2 before 1.0.1.76, EX6150v2 before 1.0.1.76, EX6200v2 before 1.0.1.72, EX6400 before 1.0.2.136, EX7300 before 1.0.2.136, R7500v2 before 1.0.3.38, R7800 before 1.0.2.52, R8900 before 1.0.4.12, R9000 before 1.0.4.12, WN2000RPTv3 before 1.0.1.32, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.66, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, WNR2000v5 before 1.0.0.66, XR450 before 2.3.2.32, and XR500 before 2.3.2.32.
CVE-2019-19394 (v3: 6.1) 16 Apr 2020
Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x before 3.12.3, 3.13.x, and 3.14.x allows XSS. This is fixed in 3.10.7, 3.12.3, and 3.15.0.
CVE-2019-20664 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20665 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20666 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20667 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20668 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20669 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20670 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20671 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20672 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20673 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20674 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20675 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20677 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20678 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20660 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20661 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20662 (v3: 4.3) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20663 (v3: 4.3) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
CVE-2019-20639 (v3: 4.8) 15 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.

2018

CVE-2018-18623 (v3: 6.1) 2 Jun 2020
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624 (v3: 6.1) 2 Jun 2020
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18625 (v3: 6.1) 2 Jun 2020
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-21209 (v3: 4.8) 28 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects JNR1010v2 before 1.1.0.46, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.46, PR2000 before 1.0.0.20, R6050 before 1.0.1.10, R6220 before 1.1.0.60, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.46, WNR2020 before 1.1.0.46, and WNR2050 before 1.1.0.46.
CVE-2018-21155 (v3: 6.1) 27 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.34, DM200 before 1.0.0.52, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7500v2 before 1.0.3.26, R7800 before 1.0.2.42, R8900 before 1.0.4.2, R9000 before 1.0.3.16, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64.
CVE-2018-21167 (v3: 5.5) 27 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.57, DM200 before 1.0.0.50, EX2700 before 1.0.1.32, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.70, EX6200v2 before 1.0.1.62, EX6400 before 1.0.1.78, EX7300 before 1.0.1.78, EX8000 before 1.0.0.114, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WN2000RPTv3 before 1.0.1.26, WN3000RPv3 before 1.0.2.66, WN3100RPv2 before 1.0.0.42, WNDR3700v4 before 1.0.2.96, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64.
CVE-2018-21095 (v3: 4.3) 27 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects SRR60 before 2.2.1.210 and SRS60 before 2.2.1.210.
CVE-2018-18405 (v3: 6.1) 22 Apr 2020
jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element.
CVE-2018-10125 (v3: 6.1) 16 Mar 2020
Contao before 4.5.7 has XSS in the system log.
CVE-2018-10704 (v3: 6.1) 12 Mar 2020
yidashi yii2cmf 2.0 has XSS via the /search q parameter.
CVE-2018-19599 (v3: 5.4) 2 Mar 2020
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product.
CVE-2018-17572 (v3: 4.8) 2 Mar 2020
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
CVE-2018-19658 (v3: 5.4) 2 Mar 2020
The Markdown editor in YXBJ before 8.3.2 on macOS has stored XSS. This behavior may be encountered by some Evernote users; however, it is a vulnerability in YXBJ, not a vulnerability in Evernote.
CVE-2018-15820 (v3: 6.1) 2 Mar 2020
EasyIO EasyIO-30P devices before 2.0.5.27 allow XSS via the dev.htm GDN parameter.
CVE-2018-14384 (v3: 4.8) 2 Mar 2020
The Website Manager module in SEO Panel 3.13.0 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability, allowing remote authenticated attackers to inject arbitrary web script or HTML via the websites.php name parameter.
CVE-2018-17981 (v3: 6.1) 22 Jan 2020
Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter.
CVE-2018-14476 (v3: 6.1) 31 Dec 2019
GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation.
CVE-2018-20490 (v3: 5.4) 30 Dec 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-20491 (v3: 5.4) 30 Dec 2019
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-20496 (v3: 5.4) 30 Dec 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-7859 (v3: 6.1) 30 Dec 2019
A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit.
CVE-2018-10854 (v3: 5.4) 22 Nov 2019
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
CVE-2018-18674 (v3: 6.1) 7 Nov 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board tail contents" parameter, aka the adm/board_form_update.php bo_content_tail parameter.
CVE-2018-18678 (v3: 6.1) 30 Oct 2019
GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board group extra contents" parameter, aka the adm/boardgroup_form_update.php gr_1~10 parameter.
CVE-2018-10727 (v3: 6.1) 29 Oct 2019
Reflected Cross-Site Scripting (XSS) vulnerability in the fabrik_referrer hidden field in the Fabrikar Fabrik component through v3.8.1 for Joomla! allows remote attackers to inject arbitrary web script via the HTTP Referer header.
CVE-2018-18379 (v3: 6.1) 7 Oct 2019
The elementor-edit-template class in wp-admin/customize.php in the Elementor Pro plugin before 2.0.10 for WordPress has XSS.
CVE-2018-9090 (v3: 6.1) 24 Sep 2019
CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards.
CVE-2018-11200 (v3: 6.1) 20 Sep 2019
An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field.
CVE-2018-21012 (v3: 6.1) 9 Sep 2019
The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS.
CVE-2018-21014 (v3: 5.4) 9 Sep 2019
The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS.
CVE-2018-11198 (v3: 6.1) 6 Sep 2019
An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.
CVE-2018-15510 (v3: 6.1) 30 Aug 2019
Cross-site scripting (XSS) vulnerability in the 'Certificate' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15511 (v3: 6.1) 30 Aug 2019
Cross-site scripting (XSS) vulnerability in the 'Notification template' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15512 (v3: 6.1) 30 Aug 2019
Cross-site scripting (XSS) vulnerability in the 'Authorisation Service' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-18370 (v3: 6.1) 30 Aug 2019
The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting (XSS) vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG's web listing of a remote FTP server. Exploiting the vulnerability requires the attacker to be able to upload crafted files to the remote FTP server. Affected versions: ASG 6.6 and 6.7 prior to 6.7.4.2; ProxySG 6.5 prior to 6.5.10.15, 6.6, and 6.7 prior to 6.7.4.2.
CVE-2018-21001 (v3: 6.1) 27 Aug 2019
The anycomment plugin before 0.0.33 for WordPress has XSS.
CVE-2018-18668 (v3: 6.1) 26 Aug 2019
GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.
CVE-2018-20986 (v3: 5.4) 22 Aug 2019
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.
CVE-2018-20983 (v3: 6.1) 22 Aug 2019
The wp-retina-2x plugin before 5.2.3 for WordPress has XSS.
CVE-2018-20982 (v3: 6.1) 22 Aug 2019
The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens.
CVE-2018-20970 (v3: 6.1) 21 Aug 2019
The pdf-print plugin before 2.0.3 for WordPress has multiple XSS issues.
CVE-2018-20977 (v3: 6.1) 21 Aug 2019
The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPress has XSS on the settings page.
CVE-2018-20978 (v3: 6.1) 20 Aug 2019
The wp-all-import plugin before 3.4.7 for WordPress has XSS.
CVE-2018-20975 (v3: 6.1) 20 Aug 2019
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
CVE-2018-17790 (v3: 6.1) 15 Aug 2019
Prospecta Master Data Online (MDO) 2.0 has Stored XSS.
CVE-2018-12101 (v3: 5.4) 15 Aug 2019
CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Resource Groups, and User/Resource Group Links fields.
CVE-2018-19386 (v3: 6.1) 14 Aug 2019
SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.
CVE-2018-20963 (v3: 6.1) 13 Aug 2019
The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.
CVE-2018-20965 (v3: 6.1) 12 Aug 2019
The ultimate-member plugin before 2.0.4 for WordPress has XSS.
CVE-2018-20966 (v3: 6.1) 12 Aug 2019
The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

2017

CVE-2017-18866 (v3: 6.1) 5 May 2020
Certain NETGEAR devices are affected by stored XSS. This affects R9000 before 1.0.2.40, R6100 before 1.0.1.1, 6R7500 before 1.0.0.110, R7500v2 before 1.0.3.20, R7800 before 1.0.2.36, WNDR4300v2 before 1.0.0.48, and WNR2000v5 before 1.0.0.58.
CVE-2017-18700 (v3: 6.1) 24 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects D6400 before 1.0.0.60, D7000 before 1.0.1.50, D8500 before 1.0.3.29, EX6200 before 1.0.3.84, EX7000 before 1.0.0.60, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.01.32, R6400v2 before 1.0.2.44, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R6900P before 1.3.0.8, R7000 before 1.0.9.14, R7000P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.56, R7900 before 1.0.1.26, R8000 before 1.0.4.4, R8300 before 1.0.2.106, R8500 before 1.0.2.106, R9000 before 1.0.2.52, WNDR3400v3 before 1.0.1.16, WNR3500Lv2 before 1.2.0.46, and WNDR3700v5 before 1.1.0.48.
CVE-2017-18701 (v3: 6.1) 24 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects R6700 before 1.0.1.36 and R6900 before 1.0.1.34.
CVE-2017-18715 (v3: 6.1) 24 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects EX3700 before 1.0.0.66, EX3800 before 1.0.0.66, EX6100 before 1.0.2.20, EX6120 before 1.0.0.34, EX6150 before 1.0.0.36, EX6200 before 1.0.3.84, and EX7000 before 1.0.0.60.
CVE-2017-18745 (v3: 6.1) 23 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects R6400 before 1.0.1.14, R6700 before 1.0.1.22, R6900 before 1.0.1.22, R7000 before 1.0.9.4, R7100LG before 1.0.0.32, R7300DST before 1.0.0.56, R7900 before 1.0.1.12, R8000 before 1.0.3.24, and R8500 before 1.0.2.74.
CVE-2017-18783 (v3: 6.1) 22 Apr 2020
Certain NETGEAR devices are affected by XSS. This affects D6200 before 1.1.00.24, D7000 before 1.0.1.52, JNR1010v2 before 1.1.0.44, JR6150 before 1.0.1.12, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.20, R6020 before 1.0.0.26, R6050 before 1.0.1.12, R6080 before 1.0.0.26, R6120 before 1.0.0.36, R6220 before 1.1.0.60, R6700v2 before 1.2.0.12, R6800 before 1.2.0.12, R6900v2 before 1.2.0.12, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.44, WNR2020 before 1.1.0.44, and WNR2050 before 1.1.0.44.
CVE-2017-18784 (v3: 6.1) 22 Apr 2020
Certain NETGEAR devices are affected by XSS. This affects D6200 before 1.1.00.24, D7000 before 1.0.1.52, JNR1010v2 before 1.1.0.44, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.20, R6020 before 1.0.0.26, R6050 before 1.0.1.12, R6080 before 1.0.0.26, R6120 before 1.0.0.36, R6220 before 1.1.0.60, R6700v2 before 1.2.0.12, R6800 before 1.2.0.12, R6900v2 before 1.2.0.12, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.44, WNR2020 before 1.1.0.44, and WNR2050 before 1.1.0.44.
CVE-2017-18785 (v3: 4.8) 22 Apr 2020
Certain NETGEAR devices are affected by XSS. This affects D3600 before 1.0.0.67, D6000 before 1.0.0.67, D6100 before 1.0.0.56, D6200 before 1.1.00.24, D6220 before 1.0.0.32, D6400 before 1.0.0.66, D7000 before 1.0.1.52, D7000v2 before 1.0.0.44, D7800 before 1.0.1.30, D8500 before 1.0.3.35, DGN2200v4 before 1.0.0.96, DGN2200Bv4 before 1.0.0.96, EX2700 before 1.0.1.28, EX6100v2 before 1.0.1.54, EX6150v2 before 1.0.1.54, EX6200v2 before 1.0.1.52, EX6400 before 1.0.1.72, EX7300 before 1.0.1.72, EX8000 before 1.0.0.102, JNR1010v2 before 1.1.0.44, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.20, R6020 before 1.0.0.26, R6080 before 1.0.0.26, R6100 before 1.0.1.20, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.0.1.32, R6400v2 before 1.0.2.46, R6700 before 1.0.1.36, R6800 before 1.2.0.12, R6900v2 before 1.2.0.12, R6700v2 before 1.2.0.12, R6900 before 1.0.1.34, R6900P before 1.3.0.8, R7000 before 1.0.9.18, R7000P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.58, R7500 before 1.0.0.118, R7500v2 before 1.0.3.24, R7800 before 1.0.2.40, R7900 before 1.0.2.4, R7900P before 1.1.5.14, R8000 before 1.0.4.4, R8000P before 1.1.5.14, R8500 before 1.0.2.110, R8300 before 1.0.2.110, R9000 before 1.0.2.52, WN2000RPTv3 before 1.0.1.8, WN3000RPv3 before 1.0.2.50, WN3100RPv2 before 1.0.0.42, WNDR3400v3 before 1.0.1.16, WNDR3700v4 before 1.0.2.94, WNDR4300 before 1.0.2.96, WNDR4300v2 before 1.0.0.50, WNDR4500v3 before 1.0.0.50, WNR1000v4 before 1.1.0.44, WNR2000v5 before 1.0.0.62, WNR2020 before 1.1.0.44, WNR2050 before 1.1.0.44, and WNR3500Lv2 before 1.2.0.46.
CVE-2017-18800 (v3: 6.1) 21 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects R6700v2 before 1.1.0.42 and R6800 before 1.1.0.42.
CVE-2017-18807 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18809 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18820 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18810 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18811 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18812 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18813 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18814 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18815 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18816 (v3: 4.8) 21 Apr 2020
NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
CVE-2017-18821 (v3: 4.8) 21 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18825 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18827 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18828 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18831 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18832 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18833 (v3: 6.1) 20 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18834 (v3: 6.1) 20 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18835 (v3: 6.1) 20 Apr 2020
Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18839 (v3: 4.8) 20 Apr 2020
Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
CVE-2017-18639 (v3: 6.1) 6 Nov 2019
Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title.
CVE-2017-1002201 (v3: 6.1) 15 Oct 2019
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
CVE-2017-18635 (v3: 6.1) 25 Sep 2019
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
CVE-2017-18612 (v3: 6.1) 13 Sep 2019
The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter.
CVE-2017-18613 (v3: 6.1) 13 Sep 2019
The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter.
CVE-2017-18615 (v3: 6.1) 13 Sep 2019
The kama-clic-counter plugin before 3.5.0 for WordPress has XSS.
CVE-2017-18600 (v3: 5.4) 10 Sep 2019
The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.
CVE-2017-18601 (v3: 5.4) 10 Sep 2019
The examapp plugin 1.0 for WordPress has XSS via exam input text fields.
CVE-2017-18603 (v3: 6.1) 10 Sep 2019
The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter.
CVE-2017-18606 (v3: 6.1) 10 Sep 2019
The avada theme before 5.1.5 for WordPress has stored XSS.
CVE-2017-18608 (v3: 6.1) 10 Sep 2019
The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues.
CVE-2017-18609 (v3: 6.1) 10 Sep 2019
The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter.
CVE-2017-18610 (v3: 6.1) 10 Sep 2019
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter.
CVE-2017-18611 (v3: 6.1) 10 Sep 2019
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter.
CVE-2017-18598 (v3: 6.1) 10 Sep 2019
The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php.
CVE-2017-18599 (v3: 6.1) 10 Sep 2019
The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter.
CVE-2017-18593 (v3: 6.1) 28 Aug 2019
The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file.
CVE-2017-18591 (v3: 6.1) 27 Aug 2019
The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.
CVE-2017-18590 (v3: 6.1) 27 Aug 2019
The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.
CVE-2017-18578 (v3: 6.1) 22 Aug 2019
The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS.
CVE-2017-18579 (v3: 6.1) 22 Aug 2019
The corner-ad plugin before 1.0.8 for WordPress has XSS.

2016

CVE-2016-6588 (v3: 5.4) 8 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Symantec IT Management Suite 8.0.
CVE-2016-1000028 (v3: 4.8) 27 Dec 2019
Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198).
CVE-2016-1000029 (v3: 4.8) 27 Dec 2019
Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269).
CVE-2016-9271 (v3: 5.4) 26 Nov 2019
Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature.
CVE-2016-1000037 (v3: 6.1) 6 Nov 2019
Pagure: XSS possible in file attachment endpoint
CVE-2016-11016 (v3: 6.1) 16 Oct 2019
NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS.
CVE-2016-10998 (v3: 6.1) 20 Sep 2019
The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.
CVE-2016-10999 (v3: 6.1) 20 Sep 2019
The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter.
CVE-2016-11001 (v3: 6.1) 20 Sep 2019
The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.
CVE-2016-11005 (v3: 6.1) 20 Sep 2019
The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS.
CVE-2016-11012 (v3: 5.4) 20 Sep 2019
The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS.
CVE-2016-11013 (v3: 6.1) 20 Sep 2019
The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS.
CVE-2016-10994 (v3: 6.1) 18 Sep 2019
The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.
CVE-2016-10975 (v3: 6.1) 17 Sep 2019
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.
CVE-2016-10976 (v3: 6.1) 17 Sep 2019
The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.
CVE-2016-10979 (v3: 6.1) 17 Sep 2019
The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS.
CVE-2016-10980 (v3: 6.1) 17 Sep 2019
The kento-post-view-counter plugin through 2.8 for WordPress has XSS via kento_pvc_geo.
CVE-2016-10981 (v3: 6.1) 17 Sep 2019
The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text.
CVE-2016-10984 (v3: 6.1) 17 Sep 2019
The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.
CVE-2016-10985 (v3: 6.1) 17 Sep 2019
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.
CVE-2016-10986 (v3: 6.1) 17 Sep 2019
The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.
CVE-2016-10987 (v3: 6.1) 17 Sep 2019
The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
CVE-2016-10988 (v3: 6.1) 17 Sep 2019
The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer.
CVE-2016-10990 (v3: 6.1) 17 Sep 2019
The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.
CVE-2016-10992 (v3: 6.1) 17 Sep 2019
The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter.
CVE-2016-10993 (v3: 5.4) 17 Sep 2019
The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.
CVE-2016-10973 (v3: 6.1) 16 Sep 2019
The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.
CVE-2016-10957 (v3: 6.1) 16 Sep 2019
The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.
CVE-2016-10961 (v3: 6.1) 16 Sep 2019
The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.
CVE-2016-10963 (v3: 6.1) 16 Sep 2019
The icegram plugin before 1.9.19 for WordPress has XSS.
CVE-2016-10964 (v3: 6.1) 16 Sep 2019
The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.
CVE-2016-10967 (v3: 6.1) 16 Sep 2019
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.
CVE-2016-10969 (v3: 6.1) 16 Sep 2019
The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title.
CVE-2016-10970 (v3: 6.1) 16 Sep 2019
The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt.
CVE-2016-10952 (v3: 6.1) 13 Sep 2019
The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.
CVE-2016-10953 (v3: 6.1) 13 Sep 2019
The Headway theme before 3.8.9 for WordPress has XSS via the license key field.
CVE-2016-10941 (v3: 6.1) 13 Sep 2019
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.
CVE-2016-10936 (v3: 6.1) 27 Aug 2019
The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll bar option.
CVE-2016-10934 (v3: 6.1) 27 Aug 2019
The check-email plugin before 0.5.2 for WordPress has XSS.
CVE-2016-10925 (v3: 6.1) 22 Aug 2019
The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs.
CVE-2016-10919 (v3: 6.1) 22 Aug 2019
The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::add_siteurl method, a different vulnerability than CVE-2012-2633.
CVE-2016-10920 (v3: 6.1) 22 Aug 2019
The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS.
CVE-2016-10890 (v3: 6.1) 21 Aug 2019
The aryo-activity-log plugin before 2.3.2 for WordPress has XSS.
CVE-2016-10891 (v3: 6.1) 21 Aug 2019
The aryo-activity-log plugin before 2.3.3 for WordPress has XSS.
CVE-2016-10910 (v3: 6.1) 21 Aug 2019
The formbuilder plugin before 1.06 for WordPress has multiple XSS issues.
CVE-2016-10911 (v3: 6.1) 21 Aug 2019
The profile-builder plugin before 2.4.2 for WordPress has multiple XSS issues.
CVE-2016-10912 (v3: 6.1) 21 Aug 2019
The universal-analytics plugin before 1.3.1 for WordPress has XSS.
CVE-2016-10900 (v3: 6.1) 21 Aug 2019
The uji-countdown plugin before 2.0.7 for WordPress has XSS.

2015

CVE-2015-7343 (v3: 4.8) 9 Mar 2020
JNews Joomla Component before 8.5.0 has XSS via the mailingsearch parameter.
CVE-2015-7344 (v3: 4.8) 9 Mar 2020
HikaShop Joomla Component before 2.6.0 has XSS via an injected payload[/caption].
CVE-2015-2992 (v3: 6.1) 27 Feb 2020
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVE-2015-0749 (v3: 6.1) 19 Feb 2020
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.
CVE-2015-5215 (v3: 6.1) 17 Feb 2020
** DISPUTED ** The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.
CVE-2015-5216 (v3: 6.1) 17 Feb 2020
The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response.
CVE-2015-2207 (v3: 5.4) 8 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) ctrl, (2) t90001_0_theform_selection, (3) _scroll, (4) tableName, (5) parent, (6) circuit, (7) return, (8) xname, or (9) mpTransactionId parameter.
CVE-2015-1394 (v3: 5.4) 8 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php.
CVE-2015-3612 (v3: 5.4) 4 Feb 2020
A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page.
CVE-2015-2249 (v3: 5.4) 27 Jan 2020
Zimbra Collaboration before 8.6.0 patch5 has XSS.
CVE-2015-5484 (v3: 5.4) 15 Jan 2020
Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post.
CVE-2015-4039 (v3: 5.4) 6 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2.
CVE-2015-5592 (v3: 6.1) 31 Dec 2019
Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks.
CVE-2015-5593 (v3: 6.1) 31 Dec 2019
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<script>payload", or in an image tag, with the payload as the onerror event.
CVE-2015-3425 (v3: 6.1) 9 Dec 2019
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
CVE-2015-4457 (v3: 5.4) 26 Nov 2019
Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Manager UI before 5.4.3 allow remote authenticated users to inject arbitrary web script or HTML using unspecified vectors.
CVE-2015-9537 (v3: 5.4) 26 Nov 2019
The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template.
CVE-2015-9539 (v3: 6.1) 26 Nov 2019
The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows fs_contact_form1[welcome] XSS.
CVE-2015-2793 (v3: 6.1) 21 Nov 2019
Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.
CVE-2015-9502 (v3: 6.1) 23 Oct 2019
The Auberge theme before 1.4.5 for WordPress has XSS via the genericons/example.html anchor identifier.
CVE-2015-9503 (v3: 6.1) 23 Oct 2019
The Modern theme before 1.4.2 for WordPress has XSS via the genericons/example.html anchor identifier.
CVE-2015-9504 (v3: 6.1) 23 Oct 2019
The weeklynews theme before 2.2.9 for WordPress has XSS via the s parameter.
CVE-2015-9505 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused.
CVE-2015-9506 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9507 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9508 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9509 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9510 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9511 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9512 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9513 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9514 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9515 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9516 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9517 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9518 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9519 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9520 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9521 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9522 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9523 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9524 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9525 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9526 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9527 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9528 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9529 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9530 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9531 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
CVE-2015-9532 (v3: 6.1) 23 Oct 2019
The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

2014

CVE-2014-8944 (v3: 5.4) 1 Jun 2020
Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.
CVE-2014-9606 (v3: 6.1) 19 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.
CVE-2014-9607 (v3: 6.1) 19 Feb 2020
Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2014-9608 (v3: 6.1) 19 Feb 2020
Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2014-9615 (v3: 6.1) 19 Feb 2020
Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.
CVE-2014-3919 (v3: 9.3) 13 Feb 2020
A vulnerability exists in Netgear CG3100 devices before 3.9.2421.13.mp3 V0027 via an embed malicious script in an unspecified page, which could let a malicious user obtain sensitive information.
CVE-2014-3826 (v3: 5.4) 11 Feb 2020
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.
CVE-2014-3827 (v3: 5.4) 11 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.
CVE-2014-6447 (v3: 7.1) 11 Feb 2020
Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS). This affects Juniper Junos OS 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, 14.2 before 14.2R1, and 15.1 before 15.1R1.
CVE-2014-9126 (v3: 6.1) 8 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in Open-School Community Edition 2.2 allow remote attackers to inject arbitrary web script or HTML via the YII_CSRF_TOKEN HTTP cookie or the StudentDocument, StudentCategories, StudentPreviousDatas parameters to index.php.
CVE-2014-9470 (v3: 6.1) 8 Feb 2020
Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search.
CVE-2014-6413 (v3: 6.1) 7 Feb 2020
A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script.
CVE-2014-5039 (v3: 9.6) 31 Jan 2020
Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-8338 (v3: 6.1) 31 Jan 2020
Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter.
CVE-2014-3809 (v3: 6.1) 31 Jan 2020
Cross-site scripting (XSS) vulnerability in the management interface in Alcatel-Lucent 1830 Photonic Service Switch (PSS) 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the myurl parameter to menu/pop.html.
CVE-2014-2843 (v3: 6.1) 31 Jan 2020
Cross-site scripting (XSS) vulnerability in infoware MapSuite MapAPI 1.0.x before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-3718 (v3: 6.1) 30 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/tag_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to inject arbitrary web script or HTML via the (1) find, (2) lib, or (3) sid parameter.
CVE-2014-8490 (v3: 6.1) 28 Jan 2020
Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9.927 allows remote attackers to inject arbitrary web script or HTML via the pid parameter to index.cfm.
CVE-2014-5500 (v3: 6.1) 27 Jan 2020
Synacor Zimbra Collaboration before 8.0.8 has XSS.
CVE-2014-7238 (v3: 6.1) 23 Jan 2020
The WordPress plugin Contact Form Integrated With Google Maps 1.0-2.4 has Stored XSS
CVE-2014-9211 (v3: 6.1) 14 Jan 2020
ClickDesk version 4.3 and below has persistent cross site scripting
CVE-2014-4561 (v3: 6.1) 10 Jan 2020
The ultimate-weather plugin 1.0 for WordPress has XSS
CVE-2014-4530 (v3: 6.1) 10 Jan 2020
flog plugin 0.1 for WordPress has XSS
CVE-2014-1454 (v3: 4.8) 8 Jan 2020
Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper validation of user input
CVE-2014-9405 (v3: 5.4) 6 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.
CVE-2014-8674 (v3: 5.4) 6 Jan 2020
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code.
CVE-2014-3743 (v3: 6.1) 6 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
CVE-2014-10398 (v3: 6.1) 3 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client. Private Client (aka RBS BS-Client. Retail Client) 2.5, 2.4, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) DICTIONARY, (2) FILTERIDENT, (3) FROMSCHEME, (4) FromPoint, or (5) FName_0 parameter and a valid sid parameter value.
CVE-2014-4196 (v3: 6.1) 3 Jan 2020
Cross-site scripting (XSS) vulnerability in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allows remote attackers to inject arbitrary web script or HTML via the colorstyle parameter.
CVE-2014-0183 (v3: 6.1) 2 Jan 2020
Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering.
CVE-2014-4553 (v3: 6.1) 2 Jan 2020
Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress allows remote attackers to execute arbitrary web script or HTML via unspecified parameters.
CVE-2014-6420 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.
CVE-2014-4535 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.
CVE-2014-4536 (v3: 6.1) 27 Dec 2019
Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.
CVE-2014-4550 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.
CVE-2014-4539 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.
CVE-2014-4544 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in the Podcast Channels plugin 0.20 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the Filename parameter to getid3/demos/demo.write.php.
CVE-2014-4548 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup parameter.
CVE-2014-4558 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter.
CVE-2014-4567 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2014-4592 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2014-4519 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in the Conversador plugin 2.61 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the 'page' parameter.
CVE-2014-4523 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in the Easy Career Openings plugin 0.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2014-4525 (v3: 6.1) 27 Dec 2019
Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in the Ebay Feeds for WordPress plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter.
CVE-2014-4559 (v3: 6.1) 27 Dec 2019
Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) api_key, (2) payment_page_url, (3) merchant_id, (4) api_url, or (5) currency parameter.
CVE-2014-4913 (v3: 6.1) 15 Dec 2019
ZF2014-03 has a potential cross site scripting vector in multiple view helpers
CVE-2014-3656 (v3: 6.1) 10 Dec 2019
JBoss KeyCloak: XSS in login-status-iframe.html
CVE-2014-3875 (v3: 6.1) 27 Nov 2019
The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks
CVE-2014-2214 (v3: 6.1) 22 Nov 2019
Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter to /includes/plugins/mobile/scripts/login.php or (2) id parameter to portal/openrssarticle.php
CVE-2014-1238 (v3: 6.1) 22 Nov 2019
Cross-site scripting (XSS) vulnerability in ui/common/managedlistdialog.aspx in Gael Q-Pulse 0.6 and earlier.

2013

CVE-2013-2679 (v3: 6.1) 18 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi.
CVE-2013-4791 (v3: 5.4) 14 Feb 2020
PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector on TinyMCE.
CVE-2013-5212 (v3: 6.1) 14 Feb 2020
Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file.
CVE-2013-6022 (v3: 6.1) 12 Feb 2020
A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.
CVE-2013-2637 (v3: 6.1) 12 Feb 2020
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.
CVE-2013-4395 (v3: 6.1) 12 Feb 2020
Simple Machines Forum (SMF) through 2.0.5 has XSS
CVE-2013-1938 (v3: 6.1) 12 Feb 2020
Zimbra 2013 has XSS in aspell.php
CVE-2013-1410 (v3: 6.1) 12 Feb 2020
Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities
CVE-2013-4225 (v3: 8.8) 11 Feb 2020
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.
CVE-2013-5988 (v3: 6.1) 11 Feb 2020
A Cross-site Scripting (XSS) vulnerability exists in the All in One SEO Pack plugin before 2.0.3.1 for WordPress via the Search parameter.
CVE-2013-1760 (v3: 6.1) 11 Feb 2020
The Bug Genie before 3.2.6 has Multiple XSS and HTML Injection Vulnerabilities
CVE-2013-1353 (v3: 5.4) 10 Feb 2020
Orange HRM 2.7.1 allows XSS via the vacancy name.
CVE-2013-3067 (v3: 5.4) 7 Feb 2020
Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS.
CVE-2013-3635 (v3: 5.4) 7 Feb 2020
ProjectPier 0.8.8 has stored XSS
CVE-2013-3636 (v3: 5.4) 7 Feb 2020
ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because of the lack of the HttpOnly cookie flag
CVE-2013-3637 (v3: 5.4) 7 Feb 2020
ProjectPier 0.8.8 does not use the Secure flag for cookies
CVE-2013-2008 (v3: 6.1) 7 Feb 2020
WordPress Super Cache Plugin 1.3 has XSS.
CVE-2013-2684 (v3: 6.1) 6 Feb 2020
Cross-site Scripting (XSS) in Cisco Linksys E4200 1.0.05 Build 7 devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-7054 (v3: 6.1) 4 Feb 2020
D-Link DIR-100 4.03B07: cli.cgi XSS
CVE-2013-2622 (v3: 6.1) 3 Feb 2020
Cross-site Scripting (XSS) in UebiMiau 2.7.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the "selected_theme" parameter in error.php.
CVE-2013-2623 (v3: 6.1) 3 Feb 2020
Cross-site Scripting (XSS) in Telaen before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the "f_email" parameter in index.php.
CVE-2013-3565 (v3: 6.1) 31 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua.
CVE-2013-2294 (v3: 6.1) 30 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before 0.0.7 allow remote repository users to inject arbitrary web script or HTML via a (1) tag name to the Shortlog table in templates/shortlog.php or branch name to the (2) Shortlog table in templates/shortlog.php or (3) Heads table in plates/summary.php.
CVE-2013-4241 (v3: 6.1) 30 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) image, (3) url, or (4) testimonial parameter to the Testimonial form (hms-testimonials-addnew page); (5) date_format parameter to the Settings - Default form (hms-testimonials-settings page); (6) name parameter in a Save action to the Settings - Custom Fields form (hms-testimonials-settings-fields page); or (7) name parameter in a Save action to the Settings - Template form (hms-testimonials-templates-new page).
CVE-2013-0738 (v3: 6.1) 30 Jan 2020
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
CVE-2013-0739 (v3: 6.1) 30 Jan 2020
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.
CVE-2013-3320 (v3: 6.1) 29 Jan 2020
Cross-site Scripting (XSS) vulnerability in NetApp OnCommand System Manager before 2.2 allows remote attackers to inject arbitrary web script or HTML via the 'full-name' and 'comment' fields.
CVE-2013-0161 (v3: 5.4) 29 Jan 2020
Havalite CMS 1.1.7 has a stored XSS vulnerability
CVE-2013-2714 (v3: 6.1) 28 Jan 2020
Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 could allow remote attackers to inject arbitrary web script or html via the 'playerID' parameter.
CVE-2013-6451 (v3: 6.1) 28 Jan 2020
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.
CVE-2013-4770 (v3: 6.1) 27 Jan 2020
Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-0286 (v3: 5.4) 27 Jan 2020
Pinboard 1.0.6 theme for Wordpress has XSS.
CVE-2013-6430 (v3: 5.4) 10 Jan 2020
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
CVE-2013-5637 (v3: 5.4) 7 Jan 2020
PQI AirCard has persistent XSS
CVE-2013-5638 (v3: 5.4) 7 Jan 2020
Transcend WiFiSD 1.8 has persistent XSS
CVE-2013-5658 (v3: 6.1) 7 Jan 2020
AultWare pwStore 2010.8.30.0 has XSS
CVE-2013-0737 (v3: 6.1) 2 Jan 2020
Cross-site scripting (XSS) vulnerability in BoltWire 3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the fieldnames parameter.
CVE-2013-1642 (v3: 6.1) 2 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in QuiXplorer before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) dir, (2) item, (3) order, (4) searchitem, (5) selitems[], or (6) srt parameter to index.php or (7) the QUERY_STRING to index.php.
CVE-2013-1420 (v3: 6.1) 2 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621.
CVE-2013-7351 (v3: 6.1) 2 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks.
CVE-2013-3931 (v3: 5.4) 2 Jan 2020
Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the property_name parameter, related to editing property details.
CVE-2013-6242 (v3: 6.1) 2 Jan 2020
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and the publication name were SPLIT from this CVE ID because they affect different sets of versions.
CVE-2013-7062 (v3: 6.1) 2 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method.
CVE-2013-7485 (v3: 6.1) 2 Jan 2020
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.
CVE-2013-7486 (v3: 6.1) 2 Jan 2020
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.
CVE-2013-4752 (v3: 6.1) 2 Jan 2020
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
CVE-2013-3936 (v3: 6.1) 2 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML.
CVE-2013-7071 (v3: 6.1) 31 Dec 2019
Cross-site scripting (XSS) vulnerability in the handle_request function in lib/HTTPServer.pm in Monitorix before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2013-4692 (v3: 6.1) 27 Dec 2019
Xorbin Analog Flash Clock 1.0 extension for Joomia has XSS
CVE-2013-4664 (v3: 6.1) 27 Dec 2019
SPBAS Business Automation Software 2012 has XSS.

2012

CVE-2012-3351 (v3: 6.1) 20 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video JW Player through 5.10.2295 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) logo.link, or (3) aboutlink parameter, or a nested URI scheme name for (4) javascript, (5) asfunction, or (6) vbscript.
CVE-2012-1932 (v3: 4.8) 19 Feb 2020
A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlier allows remote attackers to inject arbitrary web script or HTML via the setting[admin_email] parameter to admin/setting.
CVE-2012-1500 (v3: 5.4) 13 Feb 2020
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.
CVE-2012-1903 (v3: 5.4) 13 Feb 2020
XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter.
CVE-2012-2452 (v3: 6.1) 11 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in pragmaMx 1.x before 1.12.2 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to modules.php or (2) img_url to includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php.
CVE-2012-2517 (v3: 6.1) 11 Feb 2020
Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.
CVE-2012-6720 (v3: 6.1) 11 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to widget/index/content_id/*.
CVE-2012-4519 (v3: 6.1) 11 Feb 2020
Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.
CVE-2012-6449 (v3: 5.4) 10 Feb 2020
The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.
CVE-2012-6666 (v3: 6.1) 10 Feb 2020
vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter.
CVE-2012-4029 (v3: 6.1) 8 Feb 2020
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.
CVE-2012-2593 (v3: 6.1) 6 Feb 2020
Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.
CVE-2012-6133 (v3: 6.1) 30 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.
CVE-2012-5776 (v3: 5.4) 29 Jan 2020
Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php.
CVE-2012-6448 (v3: 6.1) 27 Jan 2020
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-6494 (v3: 6.1) 25 Jan 2020
Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access.
CVE-2012-6344 (v3: 6.1) 25 Jan 2020
Novell ZENworks Configuration Management before 11.2.4 allows XSS.
CVE-2012-1915 (v3: 6.1) 9 Jan 2020
EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks.
CVE-2012-5558 (v3: 4.8) 9 Jan 2020
Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer smiley" permission to inject arbitrary web script or HTML via a smiley acronym.
CVE-2012-1260 (v3: 6.1) 9 Jan 2020
Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script.
CVE-2012-1261 (v3: 6.1) 9 Jan 2020
Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter.
CVE-2012-4451 (v3: 6.1) 3 Jan 2020
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
CVE-2012-2237 (v3: 6.1) 17 Dec 2019
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.3 and 1.5.x before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript innerHTML as used when generating login forms, (2) links or (3) resources URLs, and (4) the Display name in a user profile.
CVE-2012-1114 (v3: 6.1) 5 Dec 2019
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115 (v3: 6.1) 5 Dec 2019
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-4525 (v3: 6.1) 2 Dec 2019
piwigo has XSS in password.php
CVE-2012-4526 (v3: 6.1) 2 Dec 2019
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
CVE-2012-0812 (v3: 6.1) 22 Nov 2019
PostfixAdmin 2.3.4 has multiple XSS vulnerabilities
CVE-2012-1637 (v3: 4.8) 21 Nov 2019
Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal.
CVE-2012-2078 (v3: 4.8) 21 Nov 2019
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2012-1001 (v3: 6.1) 21 Nov 2019
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
CVE-2012-4440 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin.
CVE-2012-4441 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2012-4439 (v3: 6.1) 18 Nov 2019
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins.
CVE-2012-5193 (v3: 6.1) 13 Nov 2019
Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) stats/index.php or (2) newsletters/edition.php or the (3) username parameter to users/remind_password.php, (4) days parameter to stats/index.php, (5) login parameter to users/register.php, or (6) highlight parameter.
CVE-2012-4384 (v3: 6.1) 13 Nov 2019
letodms has multiple XSS issues: Reflected XSS in Login Page, Stored XSS in Document Owner/User name, Stored XSS in Calendar
CVE-2012-6717 (v3: 6.1) 28 Aug 2019
The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562.
CVE-2012-6718 (v3: 6.1) 28 Aug 2019
The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491.
CVE-2012-6716 (v3: 6.1) 22 Aug 2019
The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.
CVE-2012-6714 (v3: 6.1) 21 Aug 2019
The count-per-day plugin before 3.2.3 for WordPress has XSS via search words.
CVE-2012-6715 (v3: 6.1) 21 Aug 2019
The formbuilder plugin before 0.9.1 for WordPress has XSS via a Referer header.
CVE-2012-6713 (v3: 6.1) 13 Aug 2019
The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.
CVE-2012-3536 (v3: 6.1) 27 Feb 2018
Two XSS vulnerabilities were fixed in message list and view in the Hupa Webmail application from the Apache James project. An attacker could send a carefully crafted email to a user of Hupa which would trigger a XSS when the email was opened or when a list of messages were viewed. This issue was addressed in Hupa 0.0.3.
CVE-2012-6346 (v3: 6.1) 9 Feb 2018
Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate.
CVE-2012-6347 (v3: 6.1) 9 Feb 2018
Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf.
CVE-2012-0941 (v3: 6.1) 8 Feb 2018
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list.
CVE-2012-6708 (v3: 6.1) 18 Jan 2018
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CVE-2012-6668 (v3: 6.1) 11 Jan 2018
Multiple cross-site scripting (XSS) vulnerabilities in the Shout Reports in the DragonByte Technologies vBShout module before 6.0.6 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the (1) reportreason parameter in actions/doreport.php or (2) modnotes parameter in actions/updatereport.php.
CVE-2012-6670 (v3: 6.1) 11 Jan 2018
Multiple cross-site scripting (XSS) vulnerabilities in the DragonByte Technologies vbActivity module before 3.0.1 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the reason parameter in (1) actions/nominatemedal.php or (2) actions/requestmedal.php.
CVE-2012-6671 (v3: 6.1) 11 Jan 2018
Multiple cross-site scripting (XSS) vulnerabilities in actions/main.php in the DragonByte Technologies Forumon RPG module before 1.0.8 for vBulletin when creating a new monster, allow remote attackers to inject arbitrary web script or HTML via the (1) monster[title] or (2) monster[description] parameters.

2011

CVE-2011-2499 (v3: 6.1) 12 Feb 2020
Mambo CMS through 4.6.5 has multiple XSS.
CVE-2011-4938 (v3: 6.1) 11 Feb 2020
Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO parameter to (1) index.php and (2) loader.php.
CVE-2011-3642 (v3: 9.6) 8 Feb 2020
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.
CVE-2011-1086 (v3: 6.1) 7 Feb 2020
Cross-site scripting (XSS) vulnerability in admin/system.html in Openfiler 2.3 allows remote attackers to inject arbitrary web script or HTML via the device parameter.
CVE-2011-1084 (v3: 6.1) 7 Feb 2020
A cross-site scripting (XSS) vulnerability in Smoothwall Express 3.
CVE-2011-1150 (v3: 6.1) 5 Feb 2020
bbPress through 1.0.2 has XSS in /bb-login.php url via the re parameter.
CVE-2011-1009 (v3: 6.1) 5 Feb 2020
Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php via the p parameter.
CVE-2011-1069 (v3: 6.1) 5 Feb 2020
PHPShop through 0.8.1 has XSS.
CVE-2011-3622 (v3: 6.1) 22 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2011-3595 (v3: 5.4) 22 Jan 2020
Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.
CVE-2011-3610 (v3: 6.1) 22 Jan 2020
A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.
CVE-2011-4095 (v3: 6.1) 21 Jan 2020
Jara 1.6 has an XSS vulnerability
CVE-2011-4336 (v3: 6.1) 15 Jan 2020
Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
CVE-2011-2714 (v3: 6.1) 14 Jan 2020
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
CVE-2011-2706 (v3: 6.1) 14 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.
CVE-2011-3183 (v3: 6.1) 14 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.
CVE-2011-3202 (v3: 6.1) 14 Jan 2020
A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier.
CVE-2011-2670 (v3: 6.1) 13 Jan 2020
Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets
CVE-2011-4595 (v3: 6.1) 10 Jan 2020
Pretty-Link WordPress plugin 1.5.2 has XSS
CVE-2011-5018 (v3: 6.1) 8 Jan 2020
Koala Framework before 2011-11-21 has XSS via the request_uri parameter.
CVE-2011-4090 (v3: 6.1) 26 Nov 2019
Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.
CVE-2011-3606 (v3: 5.4) 26 Nov 2019
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
CVE-2011-3373 (v3: 6.1) 25 Nov 2019
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-site scripting (XSS) attack.
CVE-2011-4924 (v3: 6.1) 25 Nov 2019
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104
CVE-2011-4454 (v3: 6.1) 20 Nov 2019
Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index.
CVE-2011-4455 (v3: 6.1) 20 Nov 2019
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.
CVE-2011-3352 (v3: 4.8) 19 Nov 2019
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.
CVE-2011-0544 (v3: 6.1) 14 Nov 2019
phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.
CVE-2011-3370 (v3: 6.1) 12 Nov 2019
statusnet before 0.9.9 has XSS
CVE-2011-2935 (v3: 6.1) 12 Nov 2019
Elgg through 1.7.10 has XSS
CVE-2011-4903 (v3: 6.1) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function.
CVE-2011-4626 (v3: 6.1) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink function.
CVE-2011-4629 (v3: 5.4) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin panel.
CVE-2011-4630 (v3: 5.4) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard.
CVE-2011-4631 (v3: 5.4) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler.
CVE-2011-4632 (v3: 5.4) 6 Nov 2019
Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message.
CVE-2011-1133 (v3: 6.1) 5 Nov 2019
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
CVE-2011-1135 (v3: 6.1) 5 Nov 2019
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php.
CVE-2011-0428 (v3: 6.1) 29 Oct 2019
Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments.
CVE-2011-5329 (v3: 6.1) 28 Aug 2019
The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562.
CVE-2011-4955 (v3: 6.1) 20 Dec 2017
Multiple cross-site scripting (XSS) vulnerabilities in ui_stats.php in the bSuite plugin before 5 alpha 3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s or (2) p parameters to index.php.
CVE-2011-4333 (v3: 6.1) 23 Oct 2017
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php.
CVE-2011-5296 (v2: 4.3) 1 Jan 2015
Cross-site scripting (XSS) vulnerability in profilo.php in Happy Chat 1.0 allows remote attackers to inject arbitrary web script or HTML via the nick parameter.
CVE-2011-5297 (v2: 4.3) 1 Jan 2015
Multiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter to default.php or (2) the username parameter to chat_form.php.
CVE-2011-5299 (v2: 4.3) 1 Jan 2015
Multiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark PR16.1 allow remote attackers to inject arbitrary web script or HTML via (1) the referer parameter to index.php, (2) the site_name parameter to admin/setup/config/general.php, (3) the group_name parameter to admin/subscribers/subscribers_groups.php, or (4) the field_name parameter to admin/setup/setup_fields.php.
CVE-2011-5301 (v2: 4.3) 1 Jan 2015
Multiple cross-site scripting (XSS) vulnerabilities in PHPDug 2.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the story_url parameter to add_story.php, (2) the email parameter to editprofile.php, (3) the title parameter to adm/content_add.php, or (4) the username parameter to adm/admin_edit.php.
CVE-2011-5303 (v2: 4.3) 1 Jan 2015
Cross-site scripting (XSS) vulnerability in Spitfire CMS 1.0.436 allows remote attackers to inject arbitrary web script or HTML via a cms_username cookie.
CVE-2011-5304 (v2: 4.3) 1 Jan 2015
Multiple cross-site scripting (XSS) vulnerabilities in the Sodahead Polls plugin before 2.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) the poll_id parameter to customizer.php or (2) the customize parameter to poll.php.
CVE-2011-5305 (v2: 4.3) 1 Jan 2015
Multiple cross-site scripting (XSS) vulnerabilities in CosmoShop ePRO 10.05.00 allow remote attackers to inject arbitrary web script or HTML via (1) the rcopy parameter to cgi-bin/admin/rubrikadmin.cgi, (2) the typ parameter to cgi-bin/admin/artikeladmin.cgi, or (3) the suchbegriff parameter to cgi-bin/admin/shophilfe_suche.cgi.
CVE-2011-5307 (v2: 4.3) 1 Jan 2015
Cross-site scripting (XSS) vulnerability in index.php in the PhotoSmash plugin 1.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.