DomainMod 4.10.0 has Stored XSS in the “/settings/profile/index.php” new_first_name parameter.
CWE-79
CVE-2018-11559
DomainMod 4.10.0 has Stored XSS in the “/settings/profile/index.php” new_last_name parameter.
CVE-2018-11562
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.
CVE-2018-11564
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to “/storage/poc.svg” that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack.
CVE-2018-11568
Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the ” characters have < and > representations.
CVE-2018-11572
ClipperCMS 1.3.3 has XSS in the “Module name” field in a “Modules -> Manage modules -> edit” action to the manager/ URI.
