CVE-2025-43785

CVE-2025-43785 is a stored XSS in Liferay Portal 7.4.3.45–7.4.3.128 and Liferay DXP 2024 Q2.0–Q2.9, 2024.Q1.1–Q1.12, and 7.4 update 45–update 92. The vulnerability affects the My Workflow Tasks page and can allow remote attackers to inject arbitrary script/HTML. Root cause and affected component ...

CVE-2025-43785

Stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks pa...

PT-2025-37067

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.45 through 7.4.3.128 Liferay DXP versions 2024 Q1.1 through 2024.Q1.12 Liferay DXP versions 2024 Q2.0 through 2024.Q2.9 Liferay versions 7.4 update 45 through update 92 Description: A stored cross-site scripting...

Linux Distros Unpatched Vulnerability : CVE-2024-47759

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any...

Debian dsa-5995 : libhsqldb1.8.0-java - security update

The remote Debian 13 host has a package installed that is affected by a vulnerability as referenced in the dsa-5995 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5995-1 [email protected] https://www.debian.org/security/ Moritz...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the search bar portlet when user-supplied input in the URL is not properly sanitized. An attacker can execute arbitrary web scripts in the context of the user's browser by tricking a user into clicking a...

Improper Encoding or Escaping of Output

Overview element-plus is an A Component Library for Vue 3 Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the href attribute handling in the el-link component. An attacker can execute arbitrary scripts, redirect users to malicious sites, or conduct...

Improper Encoding or Escaping of Output

Overview org.webjars.npm:element-plus is an A Component Library for Vue 3 Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the href attribute handling in the el-link component. An attacker can execute arbitrary scripts, redirect users to malicious...

CVE-2025-48208

Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache HertzBeat . The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary...

CVE-2025-48208 Apache HertzBeat (incubating): Jmx JNDI injection vulnerability

Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache HertzBeat . The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary...

CVE-2025-48208 Apache HertzBeat (incubating): Jmx JNDI injection vulnerability

Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache HertzBeat . The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary...

CVE-2025-48208

CVE-2025-48208 describes an LDAP Injection vulnerability in Apache HertzBeat up to version 1.7.2. An attacker with an authenticated account can trigger the flaw by crafting custom LDAP queries, potentially resulting in arbitrary script execution. Remediation: upgrade to version 1.7.3 (fixes the i...

PT-2025-36720

Name of the Vulnerable Software and Affected Versions: Apache HertzBeat versions through 1.7.2 Description: This issue involves an improper neutralization of special elements used in an LDAP query, specifically an LDAP injection flaw, in Apache HertzBeat. An attacker requires an authenticated...

SAP Supplier Relationship Management 跨站脚本漏洞

SAP Supplier Relationship Management SRM is a supplier relationship management solution from SAP. The product automates purchasing and acquisition processes within an organization and between suppliers, and provides functions such as invoicing. A cross-site scripting vulnerability exists in SAP...

LinkAce 跨站脚本漏洞

LinkAce is a self-hosted archive of links to your favorite websites by Kevin Woblick Personal Developer. A cross-site scripting vulnerability exists in LinkAce versions prior to 2.1.9 that stems from a stored cross-site scripting attack that could lead to arbitrary script execution...

CVE-2025-58351

Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that...

Apache DolphinScheduler Code Execution Vulnerability

Apache DolphinScheduler is a modern data scheduling platform from the Apache USA Foundation. A code execution vulnerability exists in Apache DolphinScheduler versions prior to 3.2.2 due to improper input validation. An attacker can exploit this vulnerability to execute arbitrary shell scripts on...

CVE-2025-58361 Promptcraft Forge Studio's incomplete URL check is vulnerable to XSS via SVG

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: a...

CVE-2025-20330

A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service Unified CM IM&P could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. This vulnerability exists because the...

CVE-2025-20330 Cisco Unified Communications Manager IM and Presence Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service Unified CM IM&P could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. This vulnerability exists because the...