39 matches found
GHSA-477Q-X55M-J38G Liferay Portal is vulnerable to SSRF through custom object attachment fields
A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...
Liferay Portal is vulnerable to SSRF through custom object attachment fields
A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...
CVE-2025-43763
A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...
PT-2025-36739
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...
CVE-2025-43763
SSRF vulnerability CVE-2025-43763 affects Liferay Portal 7.4.0–7.4.3.131 and Liferay DXP 2024.Q1.1–Q4.7 across multiple 2024 releases, specifically in custom object attachment fields. An attacker can induce the application to make unauthorized requests to other instances, creating new object entr...
CVE-2025-43763
A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...
CVE-2025-43763
A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...
PT-2025-36527
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.131 Liferay DXP versions 2024.Q1.1 through 2024.Q1.20 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...
CVE-2023-33938
Cross-site scripting XSS vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object...
CVE-2024-47183
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and...
Cross-site Scripting (XSS)
Overview librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the unit parameter in print-customoid.php. PoC Pass in a unit parameter value, when...
LibreNMS 跨站脚本漏洞
LibreNMS is an open source network monitoring system based on PHP and MySQL from the LibreNMS community. The system features customizable alerts, auto-discovery of network environments, and automatic updates. LibreNMS suffers from a cross-site scripting vulnerability that originates from a stored...
BIT-PARSE-2024-47183 Parse Server's custom object ID allows to acquire role privileges
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and...
GHSA-8XQ9-G7CH-35HG Parse Server's custom object ID allows to acquire role privileges
Impact If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. Patches Improved validation for custom user object IDs...
Parse Server's custom object ID allows to acquire role privileges
Impact If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. Patches Improved validation for custom user object IDs...
CVE-2024-47183 Parse Server's custom object ID allows to acquire role privileges
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and...
CVE-2024-47183 Parse Server's custom object ID allows to acquire role privileges
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and...
PT-2024-32465 · Unknown · Parse Server
Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 6.5.9 Parse Server versions prior to 7.3.0 Description: The issue arises when the Parse Server option allowCustomObjectId: true is set, allowing an attacker to create a new user with a custom object ID that...
PT-2023-24579
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.4.0 Liferay DXP 7.3 before update 14 Description A cross-site scripting XSS issue exists in the App Builder module's custom object details page, allowing remote attackers to inject arbitrary web script o...