Input passed via the URL is not properly sanitised before being returned to the user within the search.php, sendmessage.php, showgroups.php, usercp.php, online.php, misc.php, memberlist.php, member.php, index.php, forumdisplay.php, inlinemod.php, newthread.php, private.php, profile.php, register.php, showthread.php, subscription.php, forum.php, faq.php, and calendar.php script. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 4.0.2. Other versions may also be affected.
This module tries to install a RFI agent if the Web Browser Agent has administrator privileges on the application. This is a Cross Site Scripting Post Exploitation Module. You can use it both on a Typo3 XSS Agent or Web Browser Agent.
This module exploits insecure randomness vulnerability in Typo3, which leads to XSS attacks. This module tries to guess the Typo3 encryptionKey by exploiting its insecure randomness. If guessed, it will install an XSS Agent.Thanks to Chris John Riley for the info about the bug. http://www.c22.cc/TYPO3-InsecureRandomness.txt
Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
There is a reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The orderby parameter is vulnerable to cross-site scripting.
A cross-site scripting vulnerability is present in TestLink before 1.8.5 allowing remote attackers to inject arbitrary web script or HTML via the req parameter to login.php.
There is a reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The template parameter is vulnerable to cross-site scripting.
OpenEMR fails to sanitize the pc_category parameter in interface/main/calendar/index.php leading to a Cross-Site Scripting vulnerability. This exploit was tested on OpenEMR 4.0.0 but other versions may also be affected.
Moodle fails to sanitize the phpcoverage_home parameter in phpcoverage.remote.top.inc.php leading to a Cross-Site Scripting vulnerability.
Some parameters were not being properly cleaned on the blog index page, allowing non-persistent cross-site scripting (XSS) attacks. Affects Moodle branch 1.9.x from 1.9.8 and prior and branch 1.8.x from 1.8.13 and prior. This bug exists in the previous and next links on a paginated blog.