Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
CWE-79
CVE-2018-20242
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
CVE-2018-20244
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
CVE-2018-20302
An XSS issue was discovered in Steve Pallen Xain before 0.6.2 via the order parameter.
CVE-2018-20306
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
CVE-2018-2021
IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 155345.