cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).

cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).

cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459).

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).

Planon before Live Build 41 has XSS.

Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.

edx-platform before 2015-09-17 allows XSS via a team name.

edx-platform before 2015-08-17 allows XSS in the Studio listing of courses.

stacktable.js before 1.0.4 allows XSS.

Dependency-Track before 3.5.1 allows XSS.

invenio-communities before 1.0.0a20 allows XSS.

invenio-records before 1.2.2 allows XSS.

invenio-previewer before 1.0.0a12 allows XSS.

An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter.

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation.

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user opens a page of any profile with this.

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code.