IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter password is non-persistent in 10.2.0.

IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][uid] is non-persistent in 10.1.3 and 10.2.0.

IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][action] is non-persistent in 10.1.3 and 10.2.0.

IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][controller] is non-persistent in 10.1.3 and 10.2.0.

IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admin/login.html with the parameter username is persistent in 10.2.0.

Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.

laravel-bjyblog 6.1.1 has XSS via a crafted URL.

Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_input] parameter to web/admin/problem/create or web/polygon/problem/update.

Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[description] parameter to web/admin/problem/create or web/polygon/problem/update.

Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create.

b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.

prettyPhoto before 3.1.6 has js/jquery.prettyPhoto.js XSS.

The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header.

The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.

The broken-link-manager plugin 0.4.5 for WordPress has XSS via the page parameter in a delURL action.

The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter.

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.

z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.

An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row[name] parameter.