Jenkins build-metrics Plugin does not properly escape the label query parameter, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability.
A limited Cross-Site Scripting (XSS) issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Due to incorrect input handling Squid cachemgr.cgi tool is vulnerable to multiple Cross-Site Scripting attacks. This allows a malicious server to embed URLs in its content such that user credentials and other information can be extracted from a client or administrator with access to the Squid cachemgr.cgi tool URL.
Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering.
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.
Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.