Search Results (42958 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-7140 1 Plone 1 Plone 2025-04-20 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-3848 1 Cisco 1 Prime Infrastructure 2025-04-20 N/A
A vulnerability in the HTTP web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. More Information: CSCuw63001 CSCuw63003. Known Affected Releases: 2.2(2). Known Fixed Releases: 3.1(0.0).
CVE-2017-17089 1 Webmin 1 Webmin 2025-04-20 N/A
custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.
CVE-2017-3798 1 Cisco 1 Unified Communications Manager 2025-04-20 N/A
A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device. More Information: CSCvb97237. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.5(1.12029.1) 11.5(1.12900.11) 12.0(0.98000.369) 12.0(0.98000.370) 12.0(0.98000.398) 12.0(0.98000.457).
CVE-2017-3802 1 Cisco 1 Unified Communications Manager 2025-04-20 N/A
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc20679. Known Affected Releases: 12.0(0.99000.9). Known Fixed Releases: 12.0(0.98000.176) 12.0(0.98000.414) 12.0(0.98000.531) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.8).
CVE-2013-7454 1 Nodejs 1 Node.js 2025-04-20 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
CVE-2013-7453 1 Nodejs 1 Node.js 2025-04-20 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
CVE-2013-7433 1 Mapsplugin 1 Googlemaps 2025-04-20 N/A
Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla!.
CVE-2017-16907 1 Horde 1 Groupware 2025-04-20 N/A
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
CVE-2017-5616 1 Cpanel 2 Cgiecho, Cgiemail 2025-04-20 N/A
Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.
CVE-2017-9523 1 Sophos 1 Web Appliance 2025-04-20 N/A
The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342.
CVE-2017-9441 1 Bigtreecms 1 Bigtree Cms 2025-04-20 2.7 Low
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.
CVE-2017-8808 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2025-04-20 N/A
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
CVE-2017-8760 1 Accellion 1 File Transfer Appliance 2025-04-20 N/A
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.
CVE-2017-8772 1 Twsz 2 Wifi Repeater, Wifi Repeater Firmware 2025-04-20 N/A
On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not).
CVE-2017-8780 1 Genixcms 1 Genixcms 2025-04-20 N/A
GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled during a publish operation by an administrator, as demonstrated by a malformed P element.
CVE-2017-9547 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
CVE-2017-9420 1 Sunnythemes 1 Spiffy Calendar 2025-04-20 N/A
Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter.
CVE-2017-8876 1 Getsymphony 1 Symphony 2025-04-20 6.1 Medium
Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php.
CVE-2017-8898 1 Invisioncommunity 1 Invision Power Board 2025-04-20 N/A
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option.