Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php.
CWE-79
CVE-2018-11627
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
CVE-2018-11628
Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.
CVE-2018-11552
There is a reflected XSS vulnerability in AXON PBX 2.02 via the “AXON->Auto-Dialer->Agents->Name” field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable application.
CVE-2018-11553
SGIN.CN xiangyun platform V9.4.10 has XSS via the login_url parameter to /login.php.
CVE-2018-11557
YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter.
