Page 2 of 45 results (0.011 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2. 11.1, 11.0 and 10.9.1 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-73: External Control of File Name or Path •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en el widget Documentos y Medios en Liferay Portal 7.4.3.18 a 7.4.3.101, y Liferay DXP 2023.Q3 antes del parche 6, y 7.4 actualizaciones 18 a 92 permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a través de un payload manipulado inyectado en el campo de texto "Título" de un documento. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client. El módulo Calendario en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 15 y versiones anteriores no compatibles no escapa a los datos proporcionados por el usuario en la plantilla de correo electrónico de notificación predeterminada , que permite a los usuarios autenticados remotamente inyectar script web o HTML arbitrarios a través del título de un evento del calendario o el nombre del usuario. Esto puede dar lugar a ataques de suplantación de contenido o de Cross-site scripting (XSS), dependiendo de la capacidad del cliente de correo del receptor. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field Vulnerabilidad de Cross-site scripting (XSS) reflejado en la configuración de instancia para cuentas en Liferay Portal 7.4.3.44 a 7.4.3.97, y Liferay DXP 2023.Q3 antes del parche 6, y 7.4 actualización 44 a 92 permite a atacantes remotos inyectar script arbitrarios o HTML a través de un payload manipulado inyectado en el campo de texto "Dominios de correo electrónico bloqueados" • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter. Vulnerabilidad de cross-site scripting (XSS) reflejado en la pantalla de edición de Language Override en Liferay Portal 7.4.3.8 a 7.4.3.97, y Liferay DXP 2023.Q3 antes del parche 5, y 7.4 actualización 4 a 92 permite a atacantes remotos inyectar scripts web arbitrarios o HTML a través del parámetro _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •