CVE-2023-38584

In Weintek's cMT3000 HMI Web CGI device, the cgi-bin commandwb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication...

PT-2023-29561 · Qad · Qad Search Server

Name of the Vulnerable Software and Affected Versions: QAD Search Server versions up to, and including, 1.0.0.315 Description: The QAD Search Server is vulnerable to Stored Cross-Site Scripting XSS due to insufficient checks on indexes. This allows unauthenticated attackers to create a new index...

CVE-2023-42627

Multiple stored cross-site scripting XSS vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a 1...

GHSA-49GM-5685-8FXV Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class

Multiple reflected cross-site scripting XSS vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class before 4.0.51 from Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web scri...

Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class

Multiple reflected cross-site scripting XSS vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class before 4.0.51 from Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web scri...

CVE-2023-42628

Stored cross-site scripting XSS vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject...

CVE-2023-42628

Stored cross-site scripting XSS vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject...

CVE-2023-44311

Multiple reflected cross-site scripting XSS vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via t...

CVE-2023-44311

Multiple reflected cross-site scripting XSS vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via t...

Cross site scripting

Stored cross-site scripting XSS vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text...

CVE-2023-44310

Stored cross-site scripting XSS vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text...

CVE-2023-44309

Multiple stored cross-site scripting XSS vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked sourc...

Cross site scripting

Multiple stored cross-site scripting XSS vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked sourc...

CVE-2023-44309

Multiple stored cross-site scripting XSS vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked sourc...

CVE-2023-44309

The CVE-2023-44309 entry applies to Liferay Portal versions 7.4.2–7.4.3.53 and Liferay DXP 7.4 prior to update 54. The vulnerability is described as stored cross-site scripting (XSS) in fragment components, where a crafted payload injected into any non-HTML field of a linked source asset can be e...

CVE-2023-42497

Reflected cross-site scripting XSS vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the...

CVE-2023-42497

Reflected cross-site scripting XSS vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the...

Medicine Tracker System Cross-Site Scripting Vulnerability

Medicine Tracker System is a medication tracking system by Carlo Montero personal developer. Medicine Tracker System v1.0 suffers from a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data in the parameter page of the file index.ph...

CVE-2023-4820

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin...

CVE-2023-30148

Multiple Stored Cross Site Scripting XSS vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the bodytext or bodytextrude field in /sourcefiles/BlockhtmlClass.php an...