tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter.
CWE-79
CVE-2018-19092
An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user’s cookie.
CVE-2018-1910
IBM Rational Engineering Lifecycle Manager 5.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152734.
CVE-2018-19041
The Media File Manager plugin 1.4.2 for WordPress allows XSS via the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI.
CVE-2018-19048
Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element.
CVE-2018-19050
MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter.