Medium
CVE-2018-3735
bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in template
Tag: Reflected XSS
All CVEs associated with "Reflected XSS". Page 23/23 • 2754 CVEs.
Subscribe CVEs: RSS for “Reflected XSS” · RSS (High+Critical only)
About “Reflected XSS”
A curated feed of “Reflected XSS”-related CVEs appears below. We currently track 2754 CVEs for this tag (all time). In the last 365 days, 598 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 66% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2018-06-07
2018-06-01
Medium
CVE-2018-11552
There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attack…
2018-05-30
Medium
CVE-2018-11568
Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the '<' and…
Medium
CVE-2018-11562
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the dele…
2018-05-29
Medium
CVE-2018-11027
A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML.
2018-05-25
Medium
CVE-2018-11472
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
2018-05-06
Medium
CVE-2018-10686
An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving…
2018-04-29
Medium
CVE-2018-10547
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages vi…
2018-04-25
Medium
CVE-2018-10208
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is anonymous reflected XSS on the error page via a /share/error?message= URI.
2018-04-24
Medium
CVE-2018-10329
app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.
2018-04-22
Medium
CVE-2018-10298
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
2018-04-16
Medium
CVE-2018-10135
iScripts eSwap v2.4 has Reflected XSS via the "catwiseproducts.php" catid parameter in the User Panel.
2018-04-12
Medium
CVE-2018-6870
Reflected XSS exists in PHP Scripts Mall Website Seller Script 2.0.3 via the Listings Search feature.
2018-04-11
Medium
CVE-2018-10032
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.
Medium
CVE-2018-10029
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.
Medium
CVE-2018-10026
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php.
2018-03-16
Medium
CVE-2017-12590
ASUS RT-N14UHP devices before 3.0.0.4.380.8015 have a reflected XSS vulnerability in the "flag" parameter.
2018-03-09
Medium
CVE-2018-7997
Eramba e1.0.6.033 has Reflected XSS on the Error page of the CSV file inclusion tab of the /importTool/preview URI, with a CSV file polluted with malicious JavaScript.
Medium
CVE-2018-7894
Eramba e1.0.6.033 has Reflected XSS in reviews/filterIndex/ThirdPartyRiskReview via the advanced_filter parameter (aka the Search Parameter).
2018-03-07
Medium
CVE-2018-7741
Eramba e1.0.6.033 has Reflected XSS in the Date Filter via the created parameter to the /crons URI.
2018-03-02
Medium
CVE-2017-14801
Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attackers to reflect back xss into the called page using the url parameter.
2018-02-20
Medium
CVE-2017-16356
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige…
2018-02-08
Medium
CVE-2018-5550
Versions of Epson AirPrint released prior to January 19, 2018 contain a reflective cross-site scripting (XSS) vulnerability, which can allow untrusted users on the network to hijack a session cookie…
2018-01-22
High
CVE-2018-6010
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Rela…
2018-01-16
Medium
CVE-2018-5712
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar…
2018-01-10
Medium
CVE-2017-1000428
flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-A…
Medium
CVE-2016-10257
The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a ref…
Medium
CVE-2016-10256
The Symantec ProxySG 6.5 (prior to 6.5.10.6), 6.6, and 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management consol…
2018-01-09
Medium
CVE-2017-1000429
rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Weixin.php.
2017-12-16
Medium
CVE-2017-14134
A Reflected XSS Vulnerability affects the forgotten password page of Maplesoft Maple T.A. 2016.0.6 (Customer Hosted) via the emailAddress parameter to passwordreset/PasswordReset.do, aka Open Bug Bou…
2017-12-15
Medium
CVE-2017-17698
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.
2017-12-04
Medium
CVE-2017-17057
There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Pe…
2017-11-28
Medium
CVE-2017-17043
The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filt…
2017-11-17
Medium
CVE-2017-1000225
Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can
Medium
CVE-2017-1000213
WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search
2017-11-10
Medium
CVE-2017-16785
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
Medium
CVE-2017-16784
In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter.
2017-11-06
High
CVE-2017-7425
Multiple potential reflected XSS issues exist in NetIQ iManager versions before 2.7.7 Patch 10 HF2 and 3.0.3.2.
2017-10-26
Medium
CVE-2017-12158
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain…
2017-10-25
Medium
CVE-2017-15885
Reflected XSS in the web administration portal on the Axis 2100 Network Camera 2.03 allows an attacker to execute arbitrary JavaScript via the conf_Layout_OwnTitle parameter to view/view.shtml. NOTE:…
2017-10-11
Medium
CVE-2017-15215
Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (fo…
2017-10-10
Medium
CVE-2017-15216
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.…
2017-08-29
Medium
CVE-2017-3153
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.
2017-07-19
Medium
CVE-2017-11439
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
2017-07-12
Medium
CVE-2017-11195
Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The helpLaunchPage parameter is reflected in an IFRAME element, if the value contains two quotes. It properly sanitizes quotes and tags…
Medium
CVE-2017-11194
Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and i…
2017-07-04
Medium
CVE-2017-7276
There is reflected XSS in TOPdesk before 5.7.6 and 6.x and 7.x before 7.03.019.
2017-05-29
Medium
CVE-2017-9289
Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS in note-source\ui\editor.php (edit parameter).
Medium
CVE-2017-9288
The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
2017-05-28
Medium
CVE-2017-9252
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action.
Medium
CVE-2017-9251
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php.
2017-05-18
Medium
CVE-2017-9068
In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the database_type parameter.
2017-05-11
Medium
CVE-2017-8897
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF…
2017-04-21
Medium
CVE-2017-7992
Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 is vulnerable to a reflected XSS in examples/consumer-authentication/cruise.php via the URI, as demonstrated by the cavv pa…
2017-04-14
Medium
CVE-2017-7871
trollepierre/tdm before 2017-04-13 is vulnerable to a reflected XSS in tdm-master/webhook.php (challenge parameter).
2017-04-01
Medium
CVE-2017-7387
TheFirstQuestion/HelpMeWatchWho before 2017-03-28 is vulnerable to a reflected XSS in HelpMeWatchWho-master/unaired.php (episodeID parameter).
Medium
CVE-2017-7386
citymont/symetrie v.0.9.6 is vulnerable to a reflected XSS in symetrie-master/app/commands/page.php (model parameter).
2017-03-28
Medium
CVE-2016-9472
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other param…
Medium
CVE-2016-9466
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the N…
Medium
CVE-2016-9457
Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple parameters that are not properly sanitised or escaped when displayed…
Medium
CVE-2016-9128
Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to stea…
2017-03-23
Medium
CVE-2016-9169
A reflected XSS vulnerability exists in the web console of the Document Viewer Agent in Novell GroupWise before 2014 R2 Support Pack 1 Hot Patch 2 that may enable a remote attacker to execute JavaScr…
2017-03-11
Medium
CVE-2017-6812
paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.vote.php (id parameter).
Medium
CVE-2017-6811
paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.shop.php (id parameter).
Medium
CVE-2017-6810
paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.fplinks.php (linkid parameter).
Medium
CVE-2017-6809
paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.donate.php (id parameter).
Medium
CVE-2017-6808
paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.faq.php (id parameter).
2017-03-08
Medium
CVE-2017-6544
Gargaj/wuhu through 2017-03-08 is vulnerable to a reflected XSS in wuhu-master/www_admin/users.php (id parameter).
2017-03-07
Medium
CVE-2017-6511
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php.
Medium
CVE-2017-6509
Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XSS in admin/components/menu/views/menuitems.php (id parameter).
2017-03-05
Medium
CVE-2017-6480
groovel/cmsgroovel before 3.3.7-beta is vulnerable to a reflected XSS in commons/browser.php (path parameter).
Medium
CVE-2017-6479
FenixHosting/fenix-open-source before 2017-03-04 is vulnerable to a reflected XSS in forums/search.php (search-by-topic parameter).
Medium
CVE-2017-6478
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter).
2017-02-10
Medium
CVE-2017-5942
An issue was discovered in the WP Mail plugin before 1.2 for WordPress. The replyto parameter when composing a mail allows for a reflected XSS. This would allow you to execute JavaScript in the conte…
2017-02-06
Medium
CVE-2017-5367
Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute…
2017-01-11
Medium
CVE-2016-4807
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
2016-10-28
Medium
CVE-2016-8583
Multiple GET parameters in the vulnerability scan scheduler of AlienVault OSSIM and USM before 5.3.2 are vulnerable to reflected XSS.
2016-10-10
Medium
CVE-2016-1000155
Reflected XSS in wordpress plugin wpsolr-search-engine v7.6
Medium
CVE-2016-1000154
Reflected XSS in wordpress plugin whizz v1.0.7
Medium
CVE-2016-1000153
Reflected XSS in wordpress plugin tidio-gallery v1.1
Medium
CVE-2016-1000152
Reflected XSS in wordpress plugin tidio-form v1.0
Medium
CVE-2016-1000151
Reflected XSS in wordpress plugin tera-charts v1.0
Medium
CVE-2016-1000150
Reflected XSS in wordpress plugin simplified-content v1.0.0
Medium
CVE-2016-1000149
Reflected XSS in wordpress plugin simpel-reserveren v3.5.2
Medium
CVE-2016-1000148
Reflected XSS in wordpress plugin s3-video v0.983
Medium
CVE-2016-1000147
Reflected XSS in wordpress plugin recipes-writer v1.0.4
Medium
CVE-2016-1000146
Reflected XSS in wordpress plugin pondol-formmail v1.1
Medium
CVE-2016-1000145
Reflected XSS in wordpress plugin pondol-carousel v1.0
Medium
CVE-2016-1000144
Reflected XSS in wordpress plugin photoxhibit v2.1.8
Medium
CVE-2016-1000143
Reflected XSS in wordpress plugin photoxhibit v2.1.8
Medium
CVE-2016-1000142
Reflected XSS in wordpress plugin parsi-font v4.2.5
Medium
CVE-2016-1000141
Reflected XSS in wordpress plugin page-layout-builder v1.9.3
Medium
CVE-2016-1000140
Reflected XSS in wordpress plugin new-year-firework v1.1.9
Medium
CVE-2016-1000139
Reflected XSS in wordpress plugin infusionsoft v1.5.11
Medium
CVE-2016-1000138
Reflected XSS in wordpress plugin indexisto v1.0.5
Medium
CVE-2016-1000137
Reflected XSS in wordpress plugin hero-maps-pro v2.1.0
Medium
CVE-2016-1000136
Reflected XSS in wordpress plugin heat-trackr v1.0
Medium
CVE-2016-1000135
Reflected XSS in wordpress plugin hdw-tube v1.2
Medium
CVE-2016-1000134
Reflected XSS in wordpress plugin hdw-tube v1.2
Medium
CVE-2016-1000133
Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
Medium
CVE-2016-1000132
Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
Medium
CVE-2016-1000131
Reflected XSS in wordpress plugin e-search v1.0
Medium
CVE-2016-1000130
Reflected XSS in wordpress plugin e-search v1.0
Medium
CVE-2016-1000129
Reflected XSS in wordpress plugin defa-online-image-protector v3.3
Medium
CVE-2016-1000128
Reflected XSS in wordpress plugin anti-plagiarism v3.60
Medium
CVE-2016-1000127
Reflected XSS in wordpress plugin ajax-random-post v2.00
Medium
CVE-2016-1000126
Reflected XSS in wordpress plugin admin-font-editor v1.8
2013-08-20
Medium
CVE-2013-4653
Multiple cross-site scripting (XSS) vulnerabilities in the signin functionality of ics in MyTeamwork services in Alcatel-Lucent Omnitouch 8660 My Teamwork before 6.7, Omnitouch 8670 Automated Message…
2012-10-09
Medium
CVE-2012-2552
Cross-site scripting (XSS) vulnerability in the SQL Server Report Manager in Microsoft SQL Server 2000 Reporting Services SP2 and SQL Server 2005 SP4, 2008 SP2 and SP3, 2008 R2 SP1, and 2012 allows r…
2012-09-11
Medium
CVE-2012-2536
Cross-site scripting (XSS) vulnerability in Microsoft Systems Management Server 2003 SP3 and System Center Configuration Manager 2007 SP2 allows remote attackers to inject arbitrary web script or HTM…
2011-10-12
Medium
CVE-2011-1897
Cross-site scripting (XSS) vulnerability in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, Update 1, Update 2, and SP1 allows remote attackers to inject arbitrary web script or HTML via…
Medium
CVE-2011-1896
Cross-site scripting (XSS) vulnerability in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, Update 1, Update 2, and SP1 allows remote attackers to inject arbitrary web script or HTML via…
2011-09-15
Medium
CVE-2011-1891
Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoint Services 3.0 SP2, and SharePoint Foundation 2010 Gold and SP1, allows remote attackers to inject arbitrary web script or HTML…
2006-03-14
Medium
CVE-2006-1215
Cross-site scripting (XSS) vulnerability in misc.php in Woltlab Burning Board (wBB) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the percent parameter. NOTE: this issue h…