#xss

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Groundhogg Inc. HollerBox plugin <= 2.3.2 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Pensopay WooCommerce PensoPay plugin <= 6.3.1 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Stockdio Stock Quotes List plugin <= 2.9.9 versions.

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedback Team User Feedback plugin <= 1.0.7 versions.

A Stored Cross Site Scripting (XSS) vulnerability was found in SourceCodester Task Management System 1.0. It allows attackers to execute arbitrary code via parameter field in index.php?page=project_list.

Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a

All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.

All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.

Online Movie Ticket Booking System v1.0 is vulnerable to an authenticated Reflected Cross-Site Scripting vulnerability.

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.