Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the custom object attachment fields. An attacker can induce the system to make unauthorized network requests to arbitrary external resources by creating new object entries that link to external...

CVE-2025-43763

A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...

CVE-2025-43752

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the...

CVE-2025-20630

Mattermost Mobile versions =2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel...

GHSA-W6XH-C82W-H997 Mattermost webapp crash via a crafted post

Mattermost versions 10.2.x = 10.2.0, 9.11.x = 9.11.5, 10.0.x = 10.0.3, 10.1.x = 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel...

CVE-2025-20630

Mattermost Mobile versions =2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel...

CVE-2025-20621

Mattermost versions 10.2.x = 10.2.0, 9.11.x = 9.11.5, 10.0.x = 10.0.3, 10.1.x = 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel...

CVE-2025-20621 Webapp crash via object that can't be cast to String in Attachment Field

Mattermost versions 10.2.x = 10.2.0, 9.11.x = 9.11.5, 10.0.x = 10.0.3, 10.1.x = 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel...

CVE-2025-20621 Webapp crash via object that can't be cast to String in Attachment Field

Mattermost versions 10.2.x = 10.2.0, 9.11.x = 9.11.5, 10.0.x = 10.0.3, 10.1.x = 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel...

WordPress FooGallery plugin <= 2.4.14 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Image Attachment Fields vulnerability discovered by Tim Coen in WordPress Plugin FooGallery versions = 2.4.14...

CVE-2024-2471

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type' in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This...

FooGallery < 2.4.15 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields

Description The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type' in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output...

Cisco Email Security Appliance Corrupted Attachment Fields Denial of Service Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to cause an affected device to stop scanning and forwarding email messages due to a denial of service DoS condition. The vulnerabili...