There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user.

Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.

Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.

A Stored Cross-Site Scripting (XSS) vulnerability in the “Marmind” web application with version 4.1.141.0 allows an attacker to inject code that will later be executed by legitimate users when they open the assets containing the JavaScript code. This would allow an attacker to perform unauthorized actions in the application on behalf of legitimate users or spread malware via the application. By using the “Assets Upload” function, an attacker can abuse the upload function to upload a malicious PDF file containing a stored XSS.

HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).

Stored XSS in InterMind iMind Server through 3.13.65 allows any user to hijack another user's session by sending a malicious file in the chat.

AudimexEE before 14.1.1 is vulnerable to Reflected XSS (Cross-Site-Scripting). If the recommended security configuration parameter "unique_error_numbers" is not set, remote attackers can inject arbitrary web script or HTML via 'action, cargo, panel' parameters that can lead to data leakage.

Immuta v2.8.2 is affected by stored XSS that allows a low-privileged user to escalate privileges to administrative permissions. Additionally, unauthenticated attackers can phish unauthenticated Immuta users to steal credentials or force actions on authenticated users through reflected, DOM-based XSS.

The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 allows XSS via URLBlocking Settings, SNMP Settings, and System Log Settings.

Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.

NeDi 1.9C allows pwsec.php oid XSS.

NeDi 1.9C allows inc/rt-popup.php d XSS.

WordPress before 5.5.2 allows stored XSS via post slugs.

WordPress before 5.5.2 allows XSS associated with global variables.

IceWarp 11.4.5.0 allows XSS via the language parameter.

A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.

Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.

Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.

NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.