34 matches found
CVE-2025-43824
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
Liferay Profile Widget does not prevent vCard extension spoofing
The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
GHSA-PFXJ-GVQG-MJ44 Liferay Profile Widget does not prevent vCard extension spoofing
The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
EUVD-2025-32592
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
CVE-2025-43824
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
CVE-2025-43824
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
CVE-2025-43824
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
CVE-2025-43824
The CVE-2025-43824 affects the Profile widget in Liferay Portal 7.4.0–7.4.3.111 (and older unsupported versions) and Liferay DXP 2023.Q3–2023.Q4 and 7.4 GA up to update 92. The root cause is a user name being included in the Content-Disposition header, allowing remote authenticated users to chang...
CVE-2025-43824
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
PT-2025-40950
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 Description The Profile widget is susceptible to a...
EUVD-2025-4335
Malicious code in bioql PyPI...
CVE-2025-48321
Cross-Site Request Forgery CSRF vulnerability in dyiosah Ultimate twitter profile widget ultimate-twitter-profile-widget allows Stored XSS.This issue affects Ultimate twitter profile widget: from n/a through = 1.0...
CVE-2025-48321
Cross-Site Request Forgery CSRF vulnerability in dyiosah Ultimate twitter profile widget ultimate-twitter-profile-widget allows Stored XSS.This issue affects Ultimate twitter profile widget: from n/a through = 1.0...
CVE-2025-48321 WordPress Ultimate twitter profile widget plugin <= 1.0 - CSRF to Stored XSS vulnerability
Cross-Site Request Forgery CSRF vulnerability in dyiosah Ultimate twitter profile widget ultimate-twitter-profile-widget allows Stored XSS.This issue affects Ultimate twitter profile widget: from n/a through = 1.0...
CVE-2025-48321 WordPress Ultimate twitter profile widget plugin <= 1.0 - CSRF to Stored XSS vulnerability
Cross-Site Request Forgery CSRF vulnerability in dyiosah Ultimate twitter profile widget allows Stored XSS. This issue affects Ultimate twitter profile widget: from n/a through 1.0...
CVE-2025-48321
CVE-2025-48321 describes a CSRF to Stored XSS vulnerability in the WordPress plugin Ultimate Twitter Profile Widget (versions up to 1.0). Affected: Ultimate Twitter Profile Widget from n/a through 1.0. CVSS 3.1 base score 7.1 (HIGH). Root cause/impact: CSRF condition enables stored XSS via the wi...
PT-2025-35009
Name of the Vulnerable Software and Affected Versions: dyiosah Ultimate twitter profile widget versions through 1.0 Description: A Cross-Site Request Forgery CSRF vulnerability exists in dyiosah Ultimate twitter profile widget, which also allows Stored Cross-Site Scripting XSS. Recommendations: A...
WordPress plugin Ultimate twitter profile widget 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...
Malicious code in risk-profile-widget (npm)
The package communicates with a domain associated with malicious activity...
MAL-2025-6757 Malicious code in risk-profile-widget (npm)
The package communicates with a domain associated with malicious activity...