EUVD-2025-37203

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Content field in the Blogs widget. An attacker can execute arbitrary scripts or HTML by injecting a crafted element. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attack...

GHSA-56JV-4WW3-65MW Liferay Portal is vulnerable to XSS in the Blogs widget

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

CVE-2025-62265

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

CVE-2025-62265

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

CVE-2025-62265

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

CVE-2025-62265

Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...

CVE-2025-62265

CVE-2025-62265 is an XSS vulnerability in the Blogs widget of Liferay Portal and Liferay DXP, exploitable via a crafted iframe injected into a blog entry’s Content text field. The issue stems from the Blogs widget not adding a sandbox attribute to iframe elements, allowing remote attackers to run...

EUVD-2025-37079

Malicious code in epic-web-payment-management-iframe npm...

Malicious code in epic-web-payment-management-iframe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20f662c0de8dbfab55fee3857ca8b147a09c10602058c221300b37267643ec34 The package epic-web-payment-management-iframe was found to contain malicious code...

MAL-2025-49214 Malicious code in epic-web-payment-management-iframe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20f662c0de8dbfab55fee3857ca8b147a09c10602058c221300b37267643ec34 The package epic-web-payment-management-iframe was found to contain malicious code...

Liferay Portal和Liferay DXP 跨站脚本漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

PT-2025-44448

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q4.10 Liferay Portal versions 7.3 GA through update 36 Liferay DXP versions 7.4 GA through update 92 Description A cross-site scripting XSS issue exist...

CVE-2025-12245

A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of th...

CVE-2025-12246 chatwoot Admin IframeLoader.vue cross site scripting

A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The attack can be executed...

CVE-2025-12246 chatwoot Admin IframeLoader.vue cross site scripting

A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The attack can be executed...

EUVD-2025-36122

A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The attack can be executed...

CVE-2025-12246

The CVE-2025-12246 entry concerns chatwoot versions up to 4.7.0, specifically the Admin Interface file app/javascript/shared/components/IframeLoader.vue. The vulnerability arises from manipulation of the Link argument, enabling cross-site scripting. Exploitation is described as remote, but no in‑...

CVE-2025-12245 chatwoot Widget IFrameHelper.js initPostMessageCommunication origin validation

A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of th...

EUVD-2025-36123

A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of th...