An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding.

paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution

An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $_POST['name'] parameter.

Nagios XI before 5.5.4 has XSS in the auto login admin management page.

An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via the show_notification_list_issues or show_authorized_issues parameter.

An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS via the cat parameter.

An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS via the values parameter.

An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter.

An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has XSS via the field_name parameter.

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.

KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault.

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.

iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569.

Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket.

TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.

The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontre_widget.php.

The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.

Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page.

In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.

In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.