CWE-79

An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value…

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

pandao Editor.md 1.5.0 has DOM XSS via input starting with a "<<" substring, which is mishandled during construction of an A element.

SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG element, or via certain input with [ and ( characters, which is mishandled during construction of an A element.

A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary javascript.

An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.

In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

A cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.

A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.

Persistent Cross-Site Scripting (XSS) issues in LibreNMS before 1.44 allow remote attackers to inject arbitrary web script or HTML via the dashboard_name parameter in the /ajax_form.php resource, related to html/includes/forms/add-dashboard.inc.php,…

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route.…

Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false. NOTE: the vendor reports that they are "unable to reproduce the reported issue on any…

Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.

A Stored XSS vulnerability has been discovered in the v5.5.0 version of the Coaster CMS product.

_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter.