3491 matches found
CVE-2025-60506
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...
Moodle PDF Annotator plugin 安全漏洞
Moodle PDF Annotator plugin is an open source teaching plugin for Moodle. A security vulnerability exists in Moodle PDF Annotator plugin version 1.5 release 9, which stems from the public comments feature not properly filtering input and could lead to a stored cross-site scripting attack...
EUVD-2025-35197
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...
CVE-2025-60506
CVE-2025-60506 affects Moodle PDF Annotator plugin v1.5 release 9, enabling stored XSS via Public Comments. A low-privilege user can inject JavaScript in a comment; when others view the annotated PDF, the payload runs in their browser, potentially causing session hijacking and credential theft. N...
CVE-2025-60506
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...
CVE-2025-60506
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...
CVE-2025-62246
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
CVE-2025-62243
Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...
Liferay Mentions Web is Vulnerable to Cross-site Scripting
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the first, middle, or last name fields. An attacker can execute arbitrary web scripts in the context of another user by injecting crafted payloads into these fields, which are then rendered in various widget...
GHSA-MJ68-2XR5-28XH Liferay Mentions Web is Vulnerable to Cross-site Scripting
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
EUVD-2025-34083
Liferay Mentions Web is Vulnerable to Cross-site Scripting...
CVE-2025-62246
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
CVE-2025-62246
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
CVE-2025-62246
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
CVE-2025-62246
Multiple stored cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users t...
CVE-2025-62246
CVE-2025-62246 is a stored XSS in Liferay Portal 7.4.x and Liferay DXP (older and unsupported versions) due to improper sanitization of name fields in com.liferay.mentions.web; exploited when a crafted first/mmiddle/last name is rendered in widgets/apps such as page comments, blog comments, docs/...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the comliferaychangetrackingwebportletPublicationsPortletvalue parameter. An attacker can access and modify publication comments by sending crafted URLs as an authenticated user. Remediation Upgrade...
Liferay Publications is vulnerable to Incorrect Authorization
Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...
GHSA-894W-W643-QVXV Liferay Publications is vulnerable to Incorrect Authorization
Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...