Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-39612

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-16 Sep, 2023 | 00:00
Updated At-25 Sep, 2024 | 15:53
Rejected At-
Credits

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:16 Sep, 2023 | 00:00
Updated At:25 Sep, 2024 | 15:53
Rejected At:
▼CVE Numbering Authority (CNA)

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/filebrowser/filebrowser/issues/2570
N/A
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
N/A
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
N/A
Hyperlink: https://github.com/filebrowser/filebrowser/issues/2570
Resource: N/A
Hyperlink: https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
Resource: N/A
Hyperlink: https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/filebrowser/filebrowser/issues/2570
x_transferred
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
x_transferred
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
x_transferred
Hyperlink: https://github.com/filebrowser/filebrowser/issues/2570
Resource:
x_transferred
Hyperlink: https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
Resource:
x_transferred
Hyperlink: https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:16 Sep, 2023 | 01:15
Updated At:27 Mar, 2025 | 14:42

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CPE Matches

filebrowser
filebrowser
>>filebrowser>>Versions before 2.25.0(exclusive)
cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/cve@mitre.org
Exploit
Third Party Advisory
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30cve@mitre.org
Patch
https://github.com/filebrowser/filebrowser/issues/2570cve@mitre.org
Exploit
Issue Tracking
https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/filebrowser/filebrowser/issues/2570af854a3a-2127-422b-91ae-364da2661108
Exploit
Issue Tracking
Hyperlink: https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
Source: cve@mitre.org
Resource:
Patch
Hyperlink: https://github.com/filebrowser/filebrowser/issues/2570
Source: cve@mitre.org
Resource:
Exploit
Issue Tracking
Hyperlink: https://febin0x4e4a.wordpress.com/2023/09/15/xss-in-filebrowser-leads-to-admin-account-takeover-in-filebrowser/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/filebrowser/filebrowser/issues/2570
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Issue Tracking

Change History

0
Information is not available yet

Similar CVEs

166Records found

CVE-2024-55228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9||CRITICAL
EPSS-0.10% / 27.42%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

Action-Not Available
Vendor-n/aDolibarr ERP & CRM
Product-dolibarr_erp\/crmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27915
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-7.6||HIGH
EPSS-0.10% / 28.95%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 14:02
Updated-29 Sep, 2024 | 00:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS Cross-site Scripting Stored (XSS) - Description field

Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions. This could lead to the user having elevated access to the system.

Action-Not Available
Vendor-acquiaMauticmautic
Product-mauticMauticmautic
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-32174
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-9||CRITICAL
EPSS-10.09% / 92.79%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 14:20
Updated-27 May, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gogs - XSS

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.

Action-Not Available
Vendor-gogsgogs
Product-gogsgogs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23038
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-9||CRITICAL
EPSS-0.54% / 66.70%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 17:26
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_application_acceleration_managerbig-ip_link_controllerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-ip_global_traffic_managerbig-ip_analyticsbig-ip_access_policy_managerbig-ip_domain_name_systembig-ip_local_traffic_managerbig-ip_advanced_firewall_managerbig-ip_application_security_managerBIG-IP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-37721
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9||CRITICAL
EPSS-0.11% / 29.99%
||
7 Day CHG~0.00%
Published-25 Nov, 2022 | 00:00
Updated-25 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.

Action-Not Available
Vendor-pyrocmsn/a
Product-pyrocmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-52300
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.32% / 79.08%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 15:24
Updated-18 Nov, 2024 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
macro-pdfviewer has a XSS through the width parameter

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin visits the page with the malicious code. This is fixed in 2.5.6.

Action-Not Available
Vendor-XWiki SAS
Product-pdf_viewer_macromacro-pdfviewermacro_pdfviewer
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-36094
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-50.24% / 97.75%
||
7 Day CHG~0.00%
Published-08 Sep, 2022 | 20:10
Updated-22 Apr, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform Web Parent POM vulnerable to XSS in the attachment history

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-51490
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.15% / 35.55%
||
7 Day CHG+0.01%
Published-11 Nov, 2024 | 19:35
Updated-14 Nov, 2024 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting in Ampache

Ampache is a web based audio/video streaming application and file manager. This vulnerability exists in the interface section of the Ampache menu, where users can change "Custom URL - Logo". This section is not properly sanitized, allowing for the input of strings that can execute JavaScript. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-ampacheampache
Product-ampacheampache
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45856
Matching Score-4
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-4
Assigner-HiddenLayer, Inc.
CVSS Score-9||CRITICAL
EPSS-0.20% / 42.73%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 13:05
Updated-16 Sep, 2024 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

Action-Not Available
Vendor-mindsdbmindsdbmindsdb
Product-mindsdbmindsdbmindsdb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43400
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-3.09% / 86.26%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 16:24
Updated-22 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform allows XSS through XClass name in string properties

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki-platform
CWE ID-CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25955
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-9||CRITICAL
EPSS-0.41% / 60.81%
||
7 Day CHG~0.00%
Published-15 Aug, 2021 | 20:35
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in “Dolibarr” leads to privilege escalation

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

Action-Not Available
Vendor-Dolibarr ERP & CRM
Product-dolibarrdolibarr
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24693
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9||CRITICAL
EPSS-0.62% / 69.08%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 17:35
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-simple_download_monitorSimple Download Monitor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9732
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9||CRITICAL
EPSS-0.95% / 75.44%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-17 Sep, 2024 | 01:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in AEM Sites Components

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Sites component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_formsexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9741
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9||CRITICAL
EPSS-0.66% / 70.12%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in AEM Forms Components

The AEM forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9734
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9||CRITICAL
EPSS-0.66% / 70.12%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-17 Sep, 2024 | 02:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in AEM Forms component

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.1 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25603
Matching Score-4
Assigner-Liferay, Inc.
ShareView Details
Matching Score-4
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.20% / 42.19%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:09
Updated-28 Jan, 2025 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortalportaldigital_experience_platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found