1890 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...
GHSA-M5GV-VJ3F-6V2P Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations
In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...
EUVD-2025-202463
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the tot...
SUSE CVE-2022-50667
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmwmksstataddioctl If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get freed before returning -EFAULT, which leads to a memleak...
SUSE CVE-2023-53799
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...
EUVD-2025-202195
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...
EUVD-2022-55738
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmwmksstataddioctl If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get freed before returning -EFAULT, which leads to a memleak...
CVE-2025-34404
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...
CVE-2025-34404 MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...
CVE-2025-34404
MailEnable (Windows, prior to 10.54) is affected by a reflected XSS in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized for GET requests and is reflected inside a [removed] block as the JavaScript variable gInstanceScope. An ...
CVE-2025-34404 MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...
EUVD-2023-60107
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...
CVE-2022-50667
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmwmksstataddioctl If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get freed before returning -EFAULT, which leads to a memleak...
CVE-2023-53799
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...
UBUNTU-CVE-2023-53799
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...
CVE-2023-53799
CVE-2023-53799 affects the Linux kernel crypto subsystem where crypto_destroy_instance could free an instance in atomic context if the last user unregisters while active. Root cause: crypto_drop_spawn may be invoked outside process context, risking atomic-context frees. Fix: defer the freeing to ...
CVE-2023-53799 crypto: api - Use work queue in crypto_destroy_instance
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...
CVE-2023-53799
In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...