Lucene search
K

44 matches found

ATTACKERKB
ATTACKERKB
added 2026/02/18 12:0 a.m.4 views

CVE-2025-70141

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in adminclass.php based on the action parameter. An unauthenticated remote attacke...

9.4CVSS5.6AI score0.00546EPSS
Exploits1References3
Cvelist
Cvelist
added 2025/11/11 6:0 a.m.8 views

CVE-2025-11855 Age Restriction <= 3.0.2 - Subscriber+ Privilege Escalation

The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the agerestrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password...

0.00196EPSS
Exploits0References1
Veracode
Veracode
added 2025/10/27 4:50 a.m.5 views

Stored Cross-Site Scripting (XSS)

com.liferay, com.liferay.users.admin.web is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization or escaping of user input in organization site names, which allows an attacker to inject and execute malicious JavaScript code on affected instances...

5.4CVSS5.8AI score0.00197EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/10/14 9:49 p.m.4 views

CVE-2025-62252

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in o...

5.3CVSS6.8AI score0.00243EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/10/13 12:0 a.m.7 views

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

5.3CVSS6.5AI score0.00243EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-16548

Malicious code in bioql PyPI...

8.8CVSS8.4AI score0.0034EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-1986

Malicious code in bioql PyPI...

9.1CVSS8.8AI score0.00615EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-44014

Malicious code in bioql PyPI...

4.8CVSS6.4AI score0.00332EPSS
Exploits2References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2025-25271

Malicious code in bioql PyPI...

5.1CVSS6.4AI score0.00198EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2023-45457

Malicious code in bioql PyPI...

8.8CVSS8.5AI score0.00584EPSS
Exploits1References1
Veracode
Veracode
added 2025/09/11 10:0 a.m.7 views

Cross-site Scripting (XSS)

Liferay Portal is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient input sanitization due to improper handling of the comliferayusersadminwebportletUsersAdminPortletassetTagNames parameter, allowing remote authenticated attackers to inject JavaScript...

5.4CVSS6.6AI score0.00198EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2025/08/20 12:15 p.m.4 views

CVE-2025-43741

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows ...

5.4CVSS5.8AI score0.00198EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/08/20 12:0 a.m.10 views

PT-2025-34040 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.14 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...

5.1CVSS5.4AI score0.00198EPSS
Exploits0References8
Snyk
Snyk
added 2025/08/12 12:30 p.m.1 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the profile picture upload. An attacker can cause significant service slowdowns by uploading a profile picture exceeding the intended size limit. Remediation Upgrade...

6.9CVSS7AI score0.0026EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/05/15 8:6 p.m.10 views

CVE-2024-12874 Top Comments <= 1.0 - Admin+ Stored Cross-Site Scripting

The Top Comments WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

0.00271EPSS
Exploits1References1
CVE
CVE
added 2025/03/20 6:0 a.m.49 views

CVE-2024-13881

CVE-2024-13881 affects the Link My Posts WordPress plugin (versions up to 1.0). The issue is a Reflected Cross-Site Scripting vulnerability where user-supplied input is not properly sanitized/escaped before being output on the page, potentially impacting high-privilege users (e.g., admins). The C...

7.1CVSS6.1AI score0.00255EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2025/02/13 6:0 a.m.76 views

CVE-2024-12586

CVE-2024-12586 affects Chalet-Montagne.com Tools WordPress plugin (

6.1CVSS6.1AI score0.0029EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2024/11/21 11:15 a.m.26 views

CVE-2024-9768

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS0.00418EPSS
Exploits1References1
Cvelist
Cvelist
added 2024/09/02 6:0 a.m.29 views

CVE-2024-7354 Ninja Forms 3.8.6-3.8.10 - Reflected XSS

The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

0.00662EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/08/10 6:0 a.m.10 views

CVE-2024-6134 WP eStore < 8.5.6 - Reflected XSS in Product Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

5.4AI score0.00378EPSS
Exploits1References1
Rows per page
Query Builder