Medium
CVE-2021-40106
An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
Tag: Stored XSS
All CVEs associated with "Stored XSS". Page 37/45 • 5376 CVEs.
Subscribe CVEs: RSS for “Stored XSS” · RSS (High+Critical only)
About “Stored XSS”
A curated feed of “Stored XSS”-related CVEs appears below. We currently track 5376 CVEs for this tag (all time). In the last 365 days, 1195 were published. Average CVSS is 6.2 (all time; 6.4 over 365d), and 18% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2021-09-27
2021-09-24
High
CVE-2016-6556
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an at…
High
CVE-2016-6555
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload…
Medium
CVE-2021-40100
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.
2021-09-23
Medium
CVE-2021-36823
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cusmin AGCA - Absolutely Glamorous Custom Admin (WordPress plugin) allows Stored XSS.This issue a…
2021-09-20
Medium
CVE-2021-24584
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update…
Medium
CVE-2021-24525
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcod…
2021-09-17
Medium
CVE-2021-41391
In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account…
2021-09-15
Medium
CVE-2021-40966
A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user ca…
2021-09-13
Medium
CVE-2021-24586
The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugi…
Medium
CVE-2021-29643
PRTG Network Monitor before 21.3.69.1333 allows stored XSS via an unsanitized string imported from a User Object in a connected Active Directory instance.
Medium
CVE-2021-40214
Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component.
2021-09-09
High
CVE-2021-39202
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 ha…
2021-09-08
Medium
CVE-2021-31274
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can g…
Medium
CVE-2021-40377
SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be proce…
2021-09-01
Medium
CVE-2021-39186
GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable t…
2021-08-31
Medium
CVE-2021-37794
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If t…
Medium
CVE-2021-35240
A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.
Medium
CVE-2020-13639
A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store m…
2021-08-29
Medium
CVE-2021-40178
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
Medium
CVE-2021-40176
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
2021-08-23
Medium
CVE-2021-24556
The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST…
Medium
CVE-2021-24547
The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.
2021-08-20
Medium
CVE-2021-22238
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
2021-08-17
Medium
CVE-2021-39250
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-gener…
2021-08-16
Medium
CVE-2021-24541
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
Medium
CVE-2021-24540
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS atta…
Medium
CVE-2021-24538
The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser lea…
Medium
CVE-2021-24471
The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, langua…
Medium
CVE-2021-24410
The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This co…
2021-08-15
Critical
CVE-2021-25955
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note…
2021-08-12
Medium
CVE-2021-38603
PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
Medium
CVE-2021-38602
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
2021-08-11
Medium
CVE-2021-38538
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, R9000 before 1.0.4.26, RAX120 before 1.0.0.78, RBK20 before 2.3.5…
Medium
CVE-2021-38537
Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0…
Medium
CVE-2021-38536
Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0…
Medium
CVE-2021-38535
Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, R6260 before 1.1.0…
Medium
CVE-2021-38534
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6100 before 1.0.0.60, D6200 before 1.1.00.36, D6220 before 1.0.0.52, D6400 before 1.0.0…
Medium
CVE-2021-38533
NETGEAR RAX40 devices before 1.0.3.64 are affected by stored XSS.
2021-08-10
Medium
CVE-2021-37391
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies…
Medium
CVE-2021-37389
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
2021-08-09
Medium
CVE-2021-37211
The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user’s credential to inject JavaScript an…
Medium
CVE-2021-24509
The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post m…
2021-08-06
Medium
CVE-2021-37552
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
2021-08-05
Medium
CVE-2020-22732
CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..
2021-08-04
Medium
CVE-2021-38113
In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) through 1.4.7, inserting JavaScript into the Add Bouquet feature of the Bouquet Editor (i.e., bouqueteditor/api/addbouquet?name=)…
Medium
CVE-2021-32793
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blockl…
2021-08-02
Medium
CVE-2021-24481
The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS paylo…
Medium
CVE-2021-24468
The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to…
Medium
CVE-2021-3351
OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page.
2021-07-30
Medium
CVE-2021-37743
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
Medium
CVE-2021-37742
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
Medium
CVE-2020-26563
ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from…
Medium
CVE-2021-35479
Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link…
2021-07-29
Medium
CVE-2021-25273
Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.
2021-07-26
Medium
CVE-2021-37393
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, a…
Medium
CVE-2021-37392
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XS…
Medium
CVE-2021-36563
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML…
Medium
CVE-2021-37534
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
2021-07-22
Medium
CVE-2020-7390
Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile. An authenticated user can pass XSS strings the "First Name," "Last Name," and "Email Address" fields of this web application component…
2021-07-20
Medium
CVE-2020-25205
The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may se…
2021-07-17
Medium
CVE-2021-36772
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
2021-07-12
Medium
CVE-2020-19203
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget…
Medium
CVE-2020-19201
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encod…
2021-07-07
Medium
CVE-2021-36212
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
2021-07-06
Medium
CVE-2021-27930
Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order…
2021-07-01
Medium
CVE-2021-31813
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
Medium
CVE-2020-36196
A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc.…
2021-06-25
Medium
CVE-2021-35501
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.
2021-06-24
Medium
CVE-2021-32713
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. Y…
Medium
CVE-2021-25656
Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected…
2021-06-17
Medium
CVE-2020-19202
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It…
2021-06-11
Medium
CVE-2021-26829
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
2021-06-10
Medium
CVE-2020-24668
Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
Medium
CVE-2020-24663
Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
2021-06-08
Medium
CVE-2021-22220
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
2021-06-07
Medium
CVE-2021-28382
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
2021-06-01
Medium
CVE-2021-24309
The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags…
2021-05-28
Critical
CVE-2021-20195
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encod…
Medium
CVE-2021-32540
Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack.
Medium
CVE-2021-32539
Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack.
2021-05-26
Medium
CVE-2021-27676
Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. The dep_description (Dependency Description) and dep_name (Dependency Name) parameters are vulnerable to stored XSS…
Medium
CVE-2021-29252
RSA Archer before 6.9 SP1 P1 (6.9.1.1) contains a stored XSS vulnerability. A remote authenticated malicious Archer user with access to modify link name fields could potentially exploit this vulnerab…
2021-05-25
Medium
CVE-2021-33570
Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of…
2021-05-24
Medium
CVE-2021-30082
An issue was discovered in Gris CMS v0.1. There is a Persistent XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via admin/dashboard.
Medium
CVE-2021-24305
The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a…
2021-05-21
Medium
CVE-2021-33512
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.
2021-05-20
Medium
CVE-2021-27956
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
2021-05-18
Medium
CVE-2020-24026
TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /ev…
2021-05-17
Medium
CVE-2020-24993
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when visitors access the article module.
Medium
CVE-2020-24992
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when an administrator accesses the content management module.
Medium
CVE-2021-24315
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email s…
2021-05-14
Medium
CVE-2020-23689
In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
2021-05-11
Medium
CVE-2021-3315
In JetBrains TeamCity before 2020.2.2, stored XSS on a tests page was possible.
Medium
CVE-2021-31908
In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages.
Medium
CVE-2021-27733
In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.
Medium
CVE-2021-30174
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScrip…
2021-05-10
Medium
CVE-2020-23376
NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected with arbitrary web script or HTML via the name parame…
Medium
CVE-2020-23370
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected wit…
2021-05-07
Medium
CVE-2021-30171
Special characters of ERP POS news page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site script…
Medium
CVE-2021-30170
Special characters of ERP POS customer profile page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross…
Medium
CVE-2021-32103
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
2021-04-28
Medium
CVE-2020-22790
Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS i…
Medium
CVE-2020-22789
Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is exe…
2021-04-23
Medium
CVE-2021-31583
Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters t…
2021-04-22
Low
CVE-2021-22199
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
2021-04-21
Medium
CVE-2021-31327
Stored XSS in Remote Clinic v2.0 in /medicines due to Medicine Name Field.
2021-04-20
Critical
CVE-2021-28827
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for…
2021-04-15
High
CVE-2021-29448
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the net…
2021-04-13
Medium
CVE-2021-30637
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.
2021-04-08
Medium
CVE-2021-30111
A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any vis…
2021-04-06
Medium
CVE-2021-22157
Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.11.1 allows stored XSS.
Medium
CVE-2021-30146
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
Medium
CVE-2021-30140
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript conte…
Medium
CVE-2020-36307
Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.
2021-04-05
Medium
CVE-2021-24211
The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to ex…
2021-04-02
Medium
CVE-2021-29661
Softing AG OPC Toolbox through 4.10.1.13035 allows /en/diag_values.html Stored XSS via the ITEMLISTVALUES##ITEMID parameter, resulting in JavaScript payload injection into the trace file. This payloa…
Medium
CVE-2021-30003
An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices. There is Stored XSS in the administrative interface via urlfilter.cgi?add url_address.
2021-03-26
Medium
CVE-2020-35856
SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page.
2021-03-23
Medium
CVE-2021-27969
Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter.