Cross-site Scripting (XSS)

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenti

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output esc

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in

The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogle

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HT

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 's

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no k

Apostrophe has stored XSS via javascript: URL in Image Widget Link

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle resu

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/add_tod of the component Dashboard Interface. The manipulation of the argument tod

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 thr

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patch

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a

Microsoft Exchange Server Cross-Site Scripting Vulnerability

RoundCube Webmail Cross-site Scripting Vulnerability

JQuery Cross-Site Scripting (XSS) Vulnerability

RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

QNAP NAS File Station Cross-Site Scripting Vulnerability

Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability

Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability

Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability

Microsoft Windows MSHTML Platform Spoofing Vulnerability

Apple iOS, iPadOS, and watchOS WebKit Cross-Site Scripting (XSS) Vulnerability

WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability

MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

RoundCube Webmail Cross-Site Scripting Vulnerability

WhatsApp Cross-Site Scripting Vulnerability

Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability

Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

OpenPLC ScadaBR Cross-site Scripting Vulnerability

Crestron Multiple Products Command Injection Vulnerability

Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

QNAP NAS File Station Cross-Site Scripting Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability