Medium
CVE-2018-9864
The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.
Tag: Stored XSS
All CVEs associated with "Stored XSS". Page 45/45 • 5376 CVEs.
Subscribe CVEs: RSS for “Stored XSS” · RSS (High+Critical only)
About “Stored XSS”
A curated feed of “Stored XSS”-related CVEs appears below. We currently track 5376 CVEs for this tag (all time). In the last 365 days, 1195 were published. Average CVSS is 6.2 (all time; 6.4 over 365d), and 18% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2018-04-09
2018-04-07
Medium
CVE-2018-9330
register.jsp in Coremail XT3.0 allows stored XSS, as demonstrated by the third form field to a URI under register/, a different vulnerability than CVE-2015-6942.
2018-04-05
Medium
CVE-2018-7035
Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and 2.0 might allow remote attackers (users) to inject JavaScript via HTML content in an editor, which will result in Stored XSS when an Ad…
2018-03-24
Medium
CVE-2015-9257
BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 hot fix 1 has persistent XSS.
2018-03-21
Medium
CVE-2018-1229
Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. An unauthenticated malicious user with network access to Spring Batch Admin could store an ar…
2018-03-17
Medium
CVE-2018-8737
Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the ap…
2018-03-15
Medium
CVE-2018-8721
Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen
2018-03-13
Medium
CVE-2018-1000088
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth…
Medium
CVE-2018-8078
YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.
2018-03-12
Medium
CVE-2018-7893
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter.
2018-03-09
Medium
CVE-2018-7996
Eramba e1.0.6.033 has Stored XSS on the tooltip box via the /programScopes description parameter.
2018-03-07
Medium
CVE-2018-7564
Stored XSS exists on Polycom QDX 6000 devices.
High
CVE-2018-7746
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is trigg…
2018-03-06
Medium
CVE-2018-7724
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Medium
CVE-2018-7723
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-…
Medium
CVE-2018-7722
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Medium
CVE-2018-7650
PHP Scripts Mall Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS within the "Add New" function for a Management User. Within the "Add New" section, the applica…
2018-02-21
Medium
CVE-2018-7261
There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Field…
Medium
CVE-2018-7278
An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2.1 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BAC…
Medium
CVE-2018-7277
An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This…
2018-02-20
Medium
CVE-2018-7265
Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file that enables stored XSS.
2018-02-07
Medium
CVE-2018-6796
PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Stored XSS via every profile input field.
Medium
CVE-2018-6795
PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every profile input field.
Medium
CVE-2018-6655
PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field.
2018-02-04
Medium
CVE-2017-8783
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
Medium
CVE-2017-17703
Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.
2018-01-24
Critical
CVE-2017-1000474
Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and…
2018-01-12
Medium
CVE-2017-18014
An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log pa…
2018-01-10
Medium
CVE-2017-1000428
flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-A…
2018-01-08
Medium
CVE-2018-5071
Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shel…
2017-12-30
Medium
CVE-2017-12813
PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.
Medium
CVE-2017-12812
PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations tab.
Medium
CVE-2017-12811
PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.
Medium
CVE-2017-12810
PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the admin panel.
2017-12-22
Medium
CVE-2017-15312
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious script…
2017-11-27
Medium
CVE-2017-15100
An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends…
Medium
CVE-2017-16962
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a craf…
2017-11-17
Medium
CVE-2017-1000227
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme version 3.0.15 could allow logged-in users to do almost anything an admin can
2017-11-16
Medium
CVE-2017-16843
Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic.
Medium
CVE-2017-16836
Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC20.CT software allow Unauthenticated Stored XSS via the actionHandler/ajax_managed_services.php service parameter.
2017-11-12
Medium
CVE-2017-16799
In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, stored XSS is possible via the m1_name parameter to admin/moduleinterface.php during addition of a category, a related issue to CVE-…
2017-10-31
Medium
CVE-2016-10699
D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in the…
2017-10-18
Medium
CVE-2017-15574
In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.
Medium
CVE-2016-10515
In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.
2017-10-17
Medium
CVE-2017-15538
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to th…
2017-10-11
Medium
CVE-2017-15214
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (incl…
Medium
CVE-2017-15213
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/temp…
2017-10-04
Medium
CVE-2017-14995
The Management Console in WSO2 Application Server 5.3.0, WSO2 Business Process Server 3.6.0, WSO2 Business Rules Server 2.2.0, WSO2 Complex Event Processor 4.2.0, WSO2 Dashboard Server 2.0.0, WSO2 Da…
2017-10-02
Medium
CVE-2017-14957
Stored XSS vulnerability via a comment in inc/conv.php in BlogoText before 3.7.6 allows an unauthenticated attacker to inject JavaScript. If the victim is an administrator, an attacker can (for examp…
2017-09-30
Medium
CVE-2017-14923
Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by…
Medium
CVE-2017-14922
Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is m…
Medium
CVE-2017-14921
Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rend…
Medium
CVE-2017-14920
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during…
2017-09-29
Medium
CVE-2017-7554
It was found that the App Studio component of RHMAP 4.4 executes javascript provided by a user. An attacker could use this flaw to execute a stored XSS attack on an application administrator using Ap…
2017-09-22
Medium
CVE-2017-14717
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
Medium
CVE-2017-14716
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
Medium
CVE-2017-14715
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
Medium
CVE-2017-14714
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
Medium
CVE-2017-14713
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
Medium
CVE-2017-14712
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
2017-09-14
Medium
CVE-2017-1002017
Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability.
Medium
CVE-2017-1002011
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to…
2017-08-24
Medium
CVE-2017-13671
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisati…
2017-08-21
Medium
CVE-2017-12980
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-co…
Medium
CVE-2017-12979
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger Ja…
2017-08-03
Medium
CVE-2017-11320
Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor TC7337 routers 08.89.17.20.00 allows an attacker to cause DNS Poisoning and steal credentials from the router.
2017-08-02
Medium
CVE-2017-12139
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
2017-07-28
Medium
CVE-2017-11716
MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode.
2017-07-17
Medium
CVE-2017-11128
Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by the Title field of a New Entry.
Medium
CVE-2017-11127
Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a "Content-Type: image/svg+xml" header.
Medium
CVE-2017-1000058
Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data parser.
Medium
CVE-2017-1000038
WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site
Medium
CVE-2017-1000012
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user
Medium
CVE-2017-1000011
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information
Medium
CVE-2017-1000005
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data).
2017-07-12
Medium
CVE-2017-11180
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login scre…
Medium
CVE-2017-11179
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account.
2017-06-02
Medium
CVE-2017-9361
WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/details.php.
2017-06-01
Medium
CVE-2017-9337
The Markdown on Save Improved plugin 2.5 for WordPress has a stored XSS vulnerability in the content of a post.
Medium
CVE-2017-9336
The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerability in the content of a post.
2017-05-28
Medium
CVE-2017-7296
An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a…
2017-05-23
Medium
CVE-2017-3128
A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS allows attackers to execute unauthorized code or commands via the policy global-label parameter.
2017-05-11
High
CVE-2017-8899
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered b…
Critical
CVE-2017-8898
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack use…
2017-05-03
Medium
CVE-2017-7430
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have a persistent XSS vulnerability in Framework.
2017-04-24
Medium
CVE-2017-8102
Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xss…
2017-03-28
Medium
CVE-2016-9465
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud all…
Medium
CVE-2016-9454
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image…
Medium
CVE-2016-9130
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The website name…
Medium
CVE-2016-9126
Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An…
2017-03-02
Medium
CVE-2017-6103
Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1.
Medium
CVE-2017-6102
Persistent XSS in wordpress plugin rockhoist-badges v1.2.2.
2016-10-28
Medium
CVE-2016-8581
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the c…
2014-01-10
High
CVE-2014-1408
The Conceptronic C54APM access point with runtime code 1.26 has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via an HTTP request, as…
2013-08-20
Medium
CVE-2013-4653
Multiple cross-site scripting (XSS) vulnerabilities in the signin functionality of ics in MyTeamwork services in Alcatel-Lucent Omnitouch 8660 My Teamwork before 6.7, Omnitouch 8670 Automated Message…
2013-05-27
Low
CVE-2013-2955
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, and 9.x before 9.1.0.3 allows remote authenticated users to inject arbitrary web scr…