Security Vulnerabilities, CVEs, Published In November 2008 (XSS)

Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).

Cross-site scripting (XSS) vulnerability in index.php in Fred Stuurman SyndeoCMS 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.

Cross-site scripting (XSS) vulnerability in configuration/httpListenerEdit.jsf in the GlassFish 2 UR2 b04 webadmin interface in Sun Java System Application Server 9.1_01 build b09d-fcs and 9.1_02 build b04-fcs allows remote attackers to inject arbitrary web script or HTML via the name parameter, a different vector than CVE-2008-2751.

Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Knowledge Retrieval System 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the p parameter in a root action.

Cross-site scripting (XSS) vulnerability in IBM Workplace Content Management (WCM) 6.0G and 6.1 before CF8, when a Page Navigation Component shows menu entries, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters in the URI, related to parameters "not being encoded."

Multiple cross-site scripting (XSS) vulnerabilities in Xerox DocuShare 6 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) SearchResults/ and (2) Services/ in dsdn/dsweb/, and (3) the default URI under unspecified docushare/dsweb/ServicesLib/Group-#/ directories.

Cross-site scripting (XSS) vulnerability in Kent Web Mart 1.61 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in service/calendrier.php in ClanLite 2.2006.05.20 allows remote attackers to inject arbitrary web script or HTML via the annee parameter.

Cross-site scripting (XSS) vulnerability in search.php in Sphider 1.3.4, when the search suggestion feature is enabled, allows remote attackers to inject arbitrary web script or HTML via the query parameter, a different vector than CVE-2006-2506.

Cross-site scripting (XSS) vulnerability in edit.php in wellyblog allows remote attackers to inject arbitrary web script or HTML via the articleid parameter in an add action.

Cross-site scripting (XSS) vulnerability in external_vote.php in PowerAward 1.1.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the l_vote_done parameter.

Cross-site scripting (XSS) vulnerability in index.php in OTManager CMS 24a allows remote attackers to inject arbitrary web script or HTML via the conteudo parameter.

Cross-site scripting (XSS) vulnerability in search.asp in W1L3D4 Philboard 1.14 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the searchterms parameter. NOTE: this might overlap CVE-2007-4024.

Multiple cross-site scripting (XSS) vulnerabilities in Yazd Forum Software 3.x allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to (a) search.jsp, and the (2) msg parameter to (b) error.jsp and (c) userAccount.jsp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Multiple cross-site scripting (XSS) vulnerabilities in The Rat CMS Pre-Alpha 2 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to (a) viewarticle.php and (b) viewarticle2.php and the (2) PATH_INFO to viewarticle.php.

Cross-site scripting (XSS) vulnerability in search.php in BoutikOne CMS allows remote attackers to inject arbitrary web script or HTML via the search_query parameter.

Cross-site scripting (XSS) vulnerability in search.php in Scripts4Profit DXShopCart 4.30mc allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.

Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in Sun Java System Messaging Server 6.2 and 6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-2904.

Cross-site scripting (XSS) vulnerability in the Novell User Application 3.0.1, 3.5.0, and 3.5.1; and Identity Manager Roles Based Provisioning Module 3.6.0 and 3.6.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Cross-site scripting (XSS) vulnerability in the HTTP Protocol Stack (HTTPSTK) in Novell eDirectory before 8.8 SP3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Multiple cross-site scripting (XSS) vulnerabilities in Kmita Gallery allow remote attackers to inject arbitrary web script or HTML via the (1) begin parameter to index.php and the (2) searchtext parameter to search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in search.php in Kmita Catalogue 2.x allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in php/cal_default.php in Mini Web Calendar (mwcal) 1.2 allows remote attackers to inject arbitrary web script or HTML via the URL.

Cross-site scripting (XSS) vulnerability in index.php in ModernBill 4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript event in the new_language parameter in a login action.