| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCU_FILE_INIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages. |
| WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF. |
| WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. |
| flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter. |
| PHP-Fusion 9.03 allows XSS on the preview page. |
| PHP-Fusion 9.03 allows XSS via the error_log file. |
| SugarCRM before 10.1.0 (Q3 2020) allows XSS. |
| USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs. |
| search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS. |
| Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887. |
| A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter. |
| Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true). |
| A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link. |
| A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link. |
| OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries. |
