CVE-2025-43768

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin...

CVE-2025-43768

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin...

CVE-2025-43768

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin...

CVE-2025-43768

Summary: CVE-2025-43768 affects Liferay Portal and Liferay DXP. Vulnerable software includes Liferay Portal 7.4.0–7.4.3.131 and Liferay DXP releases up to 2024.Q4.7 (and related 2024.Q3.13, Q2.13, Q1.15, plus 7.4 GA up to update 92). Root cause: JSONWS APIs can be accessed by authenticated users ...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

CVE-2025-55010 Kanboard Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event"data" field in the...

CVE-2024-40570

SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker to obtain sensitive information via the admindatarelate.php component...

WordPress plugin File Provider 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. The WordPress File Provider plugin suffers from a cross-site request forgery vulnerability that stems from a lack of CSRF checks. An attacker could use this vulnerability to all...

CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50W firmware versions 4.16 through 5.35, USG20W-VPN firmware versions 4.16 through 5.35, VPN series...

CVE-2023-0967

Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user...

CVE-2021-29435

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially...

PYSEC-2024-298

OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information SETTINGSSUPPORT. This is due to inadequate access control for support information...

The vulnerability of the Microprogrammed Software for IP Telephones Mitel 6869i, related to the lack of measures taken at the control level to protect data, allows a perpetrator to execute arbitrary commands.

The vulnerability of the Microprogrammed Software for Mitel 6869i IP phones lies in the lack of measures taken to sanitize data at the administrative level when processing parameters like username and path on the upgrade.html page. Exploiting this vulnerability allows a malicious actor to execute...

The vulnerability of the im_convert_path/im_identify_path function in the RoundCube Webmail client allows a hacker to exploit their privileges.

The vulnerability of the imconvertpath/imidentifypath function in the RoundCube Webmail email client is related to the lack of measures taken at the administrative level to clean up data. Exploiting this vulnerability can allow an attacker to enhance their privileges remotely...

CVE-2023-50180

An exposure of sensitive system information to an unauthorized control sphere vulnerability CWE-497 in FortiADC version 7.4.1 and below, version 7.2.3 and below, version 7.1.4 and below, version 7.0.5 and below, version 6.2.6 and below may allow a read-only admin to view data pertaining to other...

PT-2024-18184 · Progress · Sitefinity

Name of the Vulnerable Software and Affected Versions: Sitefinity affected versions not specified Description: The issue concerns a potential Cross-Site Scripting XSS in the page editing area, which may allow low-privileged users with access to the Sitefinity backend to obtain sensitive informati...

CVE-2024-1779

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ztdcfcfchangestatus function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter t...

Sql injection

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2024-1778

CVE-2024-1778 affects the WordPress plugin “Admin side data storage for Contact Form 7.” The vulnerability is due to a missing capability check in the zt_dcfcf_change_bookmark() function, enabling unauthenticated actors to modify bookmark statuses in all versions up to 1.1.1. Multiple connected s...

The vulnerability of the log management function of the email audit platform MailSherlock allows a perpetrator to execute arbitrary commands.

The vulnerability of the log management function of the email audit platform MailSherlock is related to the lack of data cleaning measures at the administrative level. Exploiting this vulnerability could allow an attacker operating remotely to execute arbitrary commands...