Stored XSS viva .webmv file upload in GitHub repository star7th/showdoc prior to 2.10.4.

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to 2.10.4.

Stored XSS via File Upload in GitHub repository star7th/showdoc prior to 2.10.4.

Stored XSS via File Upload in GitHub repository star7th/showdoc prior to v.2.10.4.

File Upload Restriction Bypass leading to Stored XSS Vulnerability in GitHub repository star7th/showdoc prior to 2.10.4.

Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4.

Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.

Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.

Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.

Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim's cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.

Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc prior to v2.10.4.

Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.

Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4.

Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.

phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number).

An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to reflected XSS, as demonstrated by private/index.jsp?partners/ShowNonLocalPartners.do?localID= or private/index.jsp or private/index.jsp?database/databaseTab.jsp or private/index.jsp?activation/activationMainTab.jsp or private/index.jsp?communication/serverTab.jsp or private/index.jsp?emailNotification/notificationTab.jsp.

An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.