Lucene search
K

8 matches found

Vulnrichment
Vulnrichment
added 2026/03/09 10:39 a.m.3 views

CVE-2026-25604 Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass

In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You...

5.7AI score0.00359EPSS
Exploits1References2
Veracode
Veracode
added 2025/11/07 8:21 a.m.6 views

Insecure Direct Object Reference (IDOR)

com.liferay.commerce, com.liferay.commerce.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId parameter not being validated across virtual instances. This allows an attacker in on...

5.3CVSS7AI score0.00255EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2025/10/22 9:31 p.m.3 views

GHSA-CQWV-9XH5-25FG Liferay Portal and DXP are Missing Authorization in Collection Provider

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19...

2CVSS6.8AI score0.00242EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/10/22 7:27 p.m.2 views

CVE-2025-62247

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19...

2CVSS6.3AI score0.00242EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/10/22 12:0 a.m.4 views

PT-2025-43403

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.9 Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3....

6.5CVSS6.5AI score0.00242EPSS
Exploits0References12
OSV
OSV
added 2025/10/13 9:15 p.m.7 views

CVE-2025-62252

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in o...

4.3CVSS6.7AI score0.00243EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2025/09/23 12:32 a.m.7 views

Liferay Portal and DXP allows users to add a note to a different virtual instance

Insecure Direct Object Reference IDOR vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a...

5.3CVSS6.9AI score0.00255EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2024/12/18 7:21 p.m.3 views

CVE-2024-52590 Missing validation allows spoofed profiles in Misskey

Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to...

8.8CVSS6.8AI score0.00334EPSS
Exploits0References3
Rows per page
Query Builder