8 matches found
CVE-2025-43802
Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the externalReferenceCode parameter in the /o/c/ API endpoint. An attacker can execute arbitrary web scripts or inject malicious HTML by supplying crafted input. Details Cross-site scripting or XSS is a code...
CVE-2025-43802
Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...
CVE-2025-43802
CVE-2025-43802 is a stored XSS vulnerability in Liferay Portal/DXP where an attacker can inject arbitrary script via the externalReferenceCode parameter on the /o/c/ API. Affected: Liferay Portal 7.4.3.51–7.4.3.109 and Liferay DXP 2023.Q3.1–2023.Q3.4, plus older 7.4/7.3 updates listed in the inta...
CVE-2011-10030
Foxit PDF Reader 4.3.1.0218 exposes a JavaScript API function, createDataObject, that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code...
CVE-2025-48881 Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users
Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If...
GHSA-965R-9CG9-G42P Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users
Impact All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. Attack...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper handling of Check and ListObject API calls under specific conditions. An attacker can bypass authorization controls by exploiting the conditions where both type-bound public access and userset...