bloofoxCMS 0.5.2.1 is infected with XSS that allows remote attackers to execute arbitrary JS/HTML Code.
CWE-79
CVE-2020-35704
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen.
CVE-2020-35705
Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen.
CVE-2020-35706
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen.
CVE-2020-35707
Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen.
CVE-2020-35717
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).
