Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

OpenOLAT 18.1.5 Cross Site Scripting / Privilege Escalation

OpenOLAT versions 18.1.4 and below and versions 18.1.5 and below suffer from multiple persistent cross site scripting vulnerabilities.

Packet Storm
#xss#vulnerability#web#ios#windows#java#perl#auth
WEBIGniter 28.7.23 Cross Site Scripting

WEBIGniter version 28.7.23 suffers from a persistent cross site scripting vulnerability.

GHSA-q2cv-7j58-rfmj: Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting

Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.

GHSA-hgr6-6hhw-883f: Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing

The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.

GHSA-rwhv-hvj2-qrqm: Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting

Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.

GHSA-rwxc-4cmw-7x75: Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget.

GHSA-v2xq-m22w-jmpr: Liferay Portal and Liferay DXP's Users Admin module vulnerable to stored Cross-site Scripting

Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field

GHSA-73x3-8mrg-5r93: Liferay Portal Language Override edit screen and Liferay DXP vulnerable to reflected Cross-site Scripting

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key` parameter.

GHSA-54pv-r62j-9qqc: Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2` parameter.

GHSA-468x-frcm-ghx6: Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field