Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Flyn San IFrame Shortcode plugin <= 1.0.5 versions.

The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

The iframe plugin before 4.5 for WordPress does not sanitize a URL.

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.

PHP remote file inclusion vulnerability in iframe.php in the iFrame Module for PHP-NUKE allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.

Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values."