Lucene search
K

1388 matches found

Veracode
Veracode
added 2025/12/13 4:21 a.m.9 views

Cross-site Request Forgery (CSRF)

jp.ikedam.jenkins.plugins, extensible-choice-parameter is vulnerable to cross-site request forgery CSRF. The vulnerability is due to insufficient request validation, which allows an attacker to execute sandboxed Groovy code by tricking a user into performing unintended actions...

5.4CVSS5.8AI score0.00236EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/12/12 9:31 p.m.8 views

EUVD-2025-26484

Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations...

7.5CVSS6.8AI score0.00389EPSS
Exploits0References6
Snyk
Snyk
added 2025/12/12 9:31 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...

7.5CVSS7.3AI score0.00389EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/12 9:31 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...

7.5CVSS7.3AI score0.00389EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/12 9:31 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...

7.5CVSS7.5AI score0.00389EPSS
Exploits0References2
OSV
OSV
added 2025/12/12 9:31 p.m.4 views

GHSA-M5GV-VJ3F-6V2P Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

7.5CVSS7.8AI score0.00389EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2025/12/12 9:31 p.m.11 views

Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

7.5CVSS7.9AI score0.00389EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2025/12/10 10:16 p.m.24 views

CVE-2025-66474

XWiki Rendering is a generic rendering system that converts textual input in a given syntax wiki syntax, HTML, etc into another syntax XHTML, etc. Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against /html injection, which...

8.8CVSS0.00893EPSS
Exploits1References7
Cvelist
Cvelist
added 2025/12/10 9:59 p.m.37 views

CVE-2025-66474 XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection

XWiki Rendering is a generic rendering system that converts textual input in a given syntax wiki syntax, HTML, etc into another syntax XHTML, etc. Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against /html injection, which...

8.7CVSS0.00893EPSS
Exploits1References7
Veracode
Veracode
added 2025/12/10 8:7 a.m.6 views

Remote Code Execution (RCE)

Apache Syncope is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe handling of custom Groovy implementations, where a malicious administrator can inject Groovy code that is executed by the Syncope Core at runtime, enabling remote code execution until sandboxing is...

7.2CVSS9.5AI score0.23107EPSS
Exploits0References8Affected Software4
Tenable Nessus
Tenable Nessus
added 2025/12/04 12:0 a.m.5 views

Adobe Experience Manager (AEM) Groovy Console

The remote Adobe Experience Manager AEM expose a Groovy console that allows users to execute arbitrary Groovy scripts on the server. This can lead to remote code execution and complete compromise of the AEM instance and the underlying server. No source data...

8.4AI score
Exploits0
Imperva Blog
Imperva Blog
added 2025/12/01 4:20 p.m.9 views

CVE-2025-61757: Imperva Customers Protected Against Critical Oracle Identity Manager Authentication Bypass Leading to Remote Code Execution

At the end of October 2025, Oracle released an emergency security alert addressing CVE-2025-61757, a high-severity authentication-bypass flaw that enables remote code execution in the Identity Manager product of Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. Multiple threat actors a...

9.8CVSS8.9AI score0.88312EPSS
Exploits1
GithubExploit
GithubExploit
added 2025/11/21 8:25 a.m.220 views

Exploit for Missing Authentication for Critical Function in Oracle Identity_Manager

Oracle Identity Manager CVE-2025-61757 Vulnerability Detection T...

9.8CVSS8AI score0.88312EPSS
Exploits1
GithubExploit
GithubExploit
added 2025/11/19 12:6 p.m.327 views

ysoserial

ysoserial !GitHub releasehttps://img.shields.io/github/do...

7.2AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/11/13 7:8 p.m.11 views

CVE-2025-64099

Open Access Management OpenAM is an access management solution. In versions prior to 16.0.0, if the "claimsparametersupported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the idtoken or ...

9.3CVSS6.8AI score0.00322EPSS
Exploits0References1
Snyk
Snyk
added 2025/11/12 9:27 p.m.6 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the oidc-claims-extension.groovy script when the claimsparametersupported parameter is enabled. An attacker can inject arbitrary values into claims returned in idtoken or userinfo by supplying a crafted JSON...

9.3CVSS7AI score0.00322EPSS
Exploits0References2
OSV
OSV
added 2025/11/12 9:27 p.m.6 views

GHSA-39HR-239P-FHQC OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed

Summary If the "claimsparametersupported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the idtoken or in the userinfo. Authorization function requests do not prevent a claims parameter containing ...

9.3CVSS6.8AI score0.00322EPSS
Exploits0References5
NVD
NVD
added 2025/11/12 7:15 p.m.10 views

CVE-2025-64099

Open Access Management OpenAM is an access management solution. In versions prior to 16.0.0, if the "claimsparametersupported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the idtoken or ...

9.3CVSS0.00322EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2025/11/03 1:13 p.m.161 views

Exploit for Code Injection in Xwiki

CVE-2025-24893-PoC XWiki Unauthenticated RCE Exploit for Reve...

9.8CVSS7.9AI score0.99898EPSS
Exploits51
RedhatCVE
RedhatCVE
added 2025/10/30 2:13 p.m.4 views

CVE-2025-64133

A cross-site request forgery CSRF vulnerability in Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier allows attackers to execute sandboxed Groovy code...

5.4CVSS6.9AI score0.00236EPSS
Exploits0References1
Rows per page
Query Builder