The “Add Link to Facebook” plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php.
CWE-79
CVE-2018-5215
Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title parameter.
CVE-2018-5216
Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content parameter to an admin/pages/*/edit resource.
CVE-2018-5164
Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the “multipart/x-mixed-replace” MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60.
CVE-2018-5172
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. This vulnerability affects Firefox < 60.
CVE-2018-5175
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a “script-src” policy of “‘strict-dynamic'”. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the “require.js” library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60.