CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

CVE-2025-3602 affects Liferay Portal and Liferay DXP (7.4.0–7.4.3.97; 7.3/7.2 lines) where an unrestricted GraphQL query depth allows remote attackers to cause DoS by executing deeply nested queries. The root cause is failure to cap GraphQL query depth, per multiple vendors/advisories in the conn...

PT-2025-25554 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.2 fix pack 8 through fix pack 20 Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.97 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +7053 more potentially affected by CVE-2025-41234 via org.springframework:spring-web (>=6.1.0 <=6.1.20)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2025-41234 Source advisory: OSV:GHSA-6R3C-XF4W-JXJM...

CVE-2024-57189

In Erxes 1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

Incorrect Access Control

Erxes is vulnerable to Incorrect Access Control. The vulnerability is due to authentication bypass due to improper validation of the User HTTP header, allowing attackers to impersonate users and access any GraphQL endpoint...

GraphQL Unauthenticated Mutation Detected

GraphQL is an open-source query and manipulation language for APIs. Unlike regular queries that only read data, mutations are operations designed to modify data on the server. When GraphQL APIs allow mutation operations without requiring proper authentication, attackers can manipulate, insert,...

GHSA-7RHV-XM4Q-WH42 Erxes Incorrect Access Control vulnerability

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

Erxes Incorrect Access Control vulnerability

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57189

In Erxes 1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler...

CVE-2024-57190

Affected software: Erxes prior to 1.6.1. Vulnerability: Incorrect Access Control enabling authentication bypass by sending a User header containing any user, allowing access to any GraphQL endpoint. Root cause: improper validation of the User header leading to auth bypass. Impact: high confidenti...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

erxes 安全漏洞

erxes is an open source Hubspot/Qualtrics alternative to erxes open source. Enabling SaaS providers and digital marketing agencies/developers to create unique experiences for their entire business. A security vulnerability exists in versions prior to erxes 1.6.1 that stems from improper access...

erxes 安全漏洞

erxes is an open source Hubspot/Qualtrics alternative to erxes open source. Enabling SaaS providers and digital marketing agencies/developers to create unique experiences for their entire business. A security vulnerability exists in erxes versions prior to 1.6.2, which stems from a path traversal...

PT-2025-24712 · Erxes · Erxes

Name of the Vulnerable Software and Affected Versions: Erxes versions prior to 1.6.2 Description: The issue allows an authenticated attacker to write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler. Recommendations: For...