An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page, aka XSS.

An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities.

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring.

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.

In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.

Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element.

The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI.

Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on the victim's computer.

Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.

index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.

index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.

panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page.

Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.

ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS.

The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for editors or admins.

Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.

Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter.

In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.