In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
CWE-79
CVE-2018-13252
Entrust Datacard Syntera CS 5.x has XSS via the name field of “Domain or Computer Name” in the login page.
CVE-2018-13256
PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter.
CVE-2018-1328
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by “Josna Joseph”.
CVE-2018-13104
OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID)
CVE-2018-13106
ClipperCMS 1.3.3 has stored XSS via the “Tools -> Configuration” screen of the manager/ URI.
