#xss

A stored cross-site scripting (XSS) vulnerability in Bagecms v3.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Settings module.

1. EXECUTIVE SUMMARY CVSS v3 9.8  ATTENTION: Exploitable remotely/low attack complexity  Vendor: PiiGAB, Processinformation i Göteborg Aktiebolag  Equipment: M-Bus SoftwarePack 900S  Vulnerabilities: Code Injection, Improper Restriction of Excessive Authentication Attempts, Unprotected Transport of Credentials, Use of Hard-coded Credentials, Plaintext Storage of a Password, Cross-site Scripting, Weak Password Requirements, Use of Password Hash with Insufficient Computational Effort, Cross-Site Request Forgery  2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash allow an attacker to inject arbitrary commands, steal passwords, or trick valid users into executing malicious commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS PiiGAB reports these vulnerabilities affect the following wireless meter reading software:   M-Bus SoftwarePack 900S 3.2 VULNERABILITY OVERVIEW 3.2.1 CODE INJECTION CWE-94 PiiGAB M-Bus does not correctly sanitize user input, which could all...

Debian Linux Security Advisory 5447-1 - Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, a bypass of vandalism protections or information disclosure.

Archon CMS version 3.14 suffers from a cross site scripting vulnerability.

All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4.

A cross-site scripting (XSS) vulnerability in User Registration & Login and User Management System with Admin Panel v3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the first and last name field.

### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangerous files when such files are accessed directly! The previous Nginx configuration was incorrect allowing certain browsers like Firefox to ignore the `Content-Type: text/plain` header on some occasions thus allowing potentially dangerous scripts to be executed. Additionally file upload validators and parts of the HTML rendering code have been found to require additional sanitation and improvements. ### Patches - Updated Nginx content type configuration - Improved file upload validation code to prevent more potentially dangerous uploads - Sanitization of test plan names used in the `tree_view_html()` function ### References Disclosed by [M Nadeem Qazi](https://huntr.dev/bounties/511489dd-ba38-4806-9029-b28ab2830aa8/) and ...

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.

taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS).