Lucene search
K

8 matches found

RedhatCVE
RedhatCVE
added 2025/09/17 10:46 p.m.11 views

CVE-2025-43802

Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...

4.8CVSS5.5AI score0.00243EPSS
Exploits0References1
Snyk
Snyk
added 2025/09/16 12:30 a.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the externalReferenceCode parameter in the /o/c/ API endpoint. An attacker can execute arbitrary web scripts or inject malicious HTML by supplying crafted input. Details Cross-site scripting or XSS is a code...

6.1CVSS5.5AI score0.00243EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/09/15 9:58 p.m.11 views

CVE-2025-43802

Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...

4.8CVSS0.00243EPSS
Exploits0References1
CVE
CVE
added 2025/09/15 9:58 p.m.29 views

CVE-2025-43802

CVE-2025-43802 is a stored XSS vulnerability in Liferay Portal/DXP where an attacker can inject arbitrary script via the externalReferenceCode parameter on the /o/c/ API. Affected: Liferay Portal 7.4.3.51–7.4.3.109 and Liferay DXP 2023.Q3.1–2023.Q3.4, plus older 7.4/7.3 updates listed in the inta...

6.1CVSS5.1AI score0.00243EPSS
Exploits0References1Affected Software2
ATTACKERKB
ATTACKERKB
added 2025/08/20 3:33 p.m.3 views

CVE-2011-10030

Foxit PDF Reader 4.3.1.0218 exposes a JavaScript API function, createDataObject, that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code...

8.4CVSS6.3AI score0.00352EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/05/30 5:21 a.m.33 views

CVE-2025-48881 Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If...

8.3CVSS0.00291EPSS
Exploits0References2
OSV
OSV
added 2025/05/28 2:38 p.m.3 views

GHSA-965R-9CG9-G42P Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Impact All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. Attack...

8.3CVSS5.9AI score0.00291EPSS
Exploits0References4
Snyk
Snyk
added 2025/05/22 10:48 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper handling of Check and ListObject API calls under specific conditions. An attacker can bypass authorization controls by exploiting the conditions where both type-bound public access and userset...

8.5CVSS7AI score0.00422EPSS
Exploits0References2
Rows per page
Query Builder