CWE-79

enhavo 0.4.0 has XSS via a user-group that contains executable JavaScript code in the user-group name. The XSS attack launches when a victim visits the admin user group page.

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is then served to other users.

Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protectedappsdefaultviewdefaultextend_guestbook.php or protectedappsdefaultviewmobileextend_guestbook.php in an index.php?r=default/column/index&col=guestbook request.

Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.

Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers “Book Me” function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user’s browser.

Airties 5444 1.0.0.18 and 5444TT 1.0.0.18 devices allow XSS.