liferay cms vulnerabilities

Adobe Flash Player Dereferenced Pointer Vulnerability. Oracle Java SE Sandbox Bypass Vulnerability. Unspecified vulnerability in Oracle Java SE allows remote attackers to affect integrity via unknown vectors related to deployment. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Arm Mali GPU Kernel Driver contains an unspecified vulnerability that allows a non-privileged user to achieve write access to read-only memory pages. Digest A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. Cisco IOS Software and Cisco IOS XE Software Quality of Service Remote Code Execution Vulnerability. QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. SIMalliance Toolbox Browser Command Injection Vulnerability. Vulnerability Information The Liferay AntiSamy app depends on third party libraries that have known vulnerabilities. Elasticsearch Remote Code Execution Vulnerability. A buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco ASA software could allow an attacker to cause a reload of the affected system or to remotely execute code. Microsoft Edge and Internet Explorer have a type confusion vulnerability in mshtml.dll, which allows remote code execution. WatchGuard Firebox and XTM Appliances Arbitrary Code Execution. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21674, CWP Control Web Panel OS Command Injection Vulnerability. Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability. Microsoft Windows Remote Code Execution Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388, Arm Mali GPU Kernel Driver Information Disclosure Vulnerability. What is a Portal? Affected Products Liferay AntiSamy 2.0.x (for Liferay Portal 6.2 EE GA1) Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html. https://android.googlesource.com/platform/system/vold/+/c51920c82463b240e2be0430849837d6fdc5352e, https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969. Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a. MongoDB mongo-express Remote Code Execution Vulnerability. Automate any workflow Packages. Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Adobe Flash Player contains an integer overflow vulnerability which allows remote attackers to execute code via malformed arguments. Apple iOS and macOS Group Facetime Vulnerability. The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. VMware vCenter Server Remote Code Execution Vulnerability. Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability. The GPCIDrv and GDrv low-level drivers in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU expose functionality to read and write arbitrary physical memory. macOS Monterey contains an out-of-bounds read vulnerability that could allow an application to read kernel memory. Customer Experience. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation. Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code. Microsoft Office contains an unspecified vulnerability that allows for remote code execution. Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. Liferay DXP meets the needs of today's digital-first business teams to create . The vulnerability is also known under the moniker of BlueKeep. D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. The kernel in Microsoft Windows allows local users to gain privileges via a crafted application. Red Hat JBoss Information Disclosure Vulnerability. Microsoft Windows SMB Remote Code Execution Vulnerability. Apple macOS Transparency, Consent, and Control (TCC) contains an unspecified permissions issue which may allow a malicious application to bypass privacy preferences. QNAP NAS File Station Command Injection Vulnerability. CVE-2007-5567 Google Chromium V8 engine contains a type confusion vulnerability. Cisco HyperFlex HX Data Platform Command Injection Vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00051.html, TerraMaster OS Remote Command Execution Vulnerability. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10295, Apple iOS, iPadOS, and macOS Input Validation Vulnerability. Android Kernel Race Condition Vulnerability. Learn the difference between a traditional and headless CMS. An incorrect type vulnerability exists in the Concurrency component of Oracle's Java Runtime Environment allows an attacker to remotely execute arbitrary code. Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability. For Adobe Flash Player, the impacted product is end-of-life and should be disconnected if still in use. Mozilla Firefox and Thunderbird Type Confusion Vulnerability. Subscribe to the Known Exploited Vulnerabilities Catalog Update Bulletin, Back to previous page for background on known exploited vulnerabilities, An official website of the U.S. Department of Homeland Security, Cybersecurity & Infrastructure Security Agency, Critical Infrastructure Security and Resilience, Information and Communications Technology Supply Chain Security, HireVue Applicant Reasonable Accommodations Process, Reporting Employee and Contractor Misconduct, Accellion FTA OS Command Injection Vulnerability. https://support.apple.com/en-us/HT21286, https://support.apple.com/en-us/HT212868, https://support.apple.com/kb/HT212872, Arm Mali GPU Kernel Driver Use-After-Free Vulnerability. Citrix ShareFile Improper Access Control Vulnerability. SAP NetWeaver Remote Code Execution Vulnerability. The race condition creates a use-after-free vulnerability, causing unspecified impacts. Cisco IOS Software for Cisco Industrial Ethernet Switches PROFINET Denial-of-Service Vulnerability. The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. Citrix SD-WAN and NetScaler SQL Injection Vulnerability. Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability. Apple iOS, iPadOS, macOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046, Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability. Adobe Acrobat and Reader Buffer Overflow Vulnerability. liferay/dxp - Docker Hub A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. Microsoft Win32k Memory Corruption Vulnerability. D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution. The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary locations with system level privileges. SAP users must have an account in order to login and access the patch. Pulse Connect Secure and Pulse Policy Secure, Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code. Nagios XI Remote Code Execution Vulnerability. A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote attacker being able to execute arbitrary code as a root user. MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. Version. SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040827-telnet, Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability. Adobe Flash Player Integer Overflow Vulnerability. Microsoft Windows NDProxy.sys in the kernel contains an improper input validation vulnerability which can allow a local attacker to escalate privileges. SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. https://jira.atlassian.com/browse/BSERV-13438, Fortinet Multiple Products Authentication Bypass Vulnerability. Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. Successful exploitation allows an attacker to perform remote code execution with SYSTEM privileges. Microsoft Windows Secondary Logon Service Privilege Escalation Vulnerability. Docker Desktop Community Edition Privilege Escalation Vulnerability. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules. VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a command injection vulnerability. Netis WF2419 Devices Remote Code Execution Vulnerability. Product Actions. Kaseya VSA Remote Code Execution Vulnerability. F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability. The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution. Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability. TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution. VMware Tanzu Spring Data Commons Property Binder Vulnerability. Microsoft Internet Explorer ASLR Bypass Vulnerability. Microsoft Silverlight Double Dereference Vulnerability. Exploitation allows an attacker to calculate or guess the admin access token. Apply remediation actions outlined in CISA guidance [https://www.cisa.gov/guidance-applying-june-microsoft-patch]. Debian-specific Redis Server Lua Sandbox Escape Vulnerability. An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. DotNetNuke (DNN) contains a vulnerability that may allow for remote code execution via cookie deserialization. Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code. Linux Kernel contains an improper input validation vulnerability in the Reliable Datagram Sockets (RDS) protocol implementation that allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls. Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Multiple Qualcomm Chipsets contain a use after free vulnerability due to improper handling of memory mapping of multiple processes simultaneously. Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. https://www.oracle.com/security-alerts/cpuoct2022.html, Multiple SugarCRM Products Remote Code Execution Vulnerability. LG N1A1 NAS Remote Command Execution Vulnerability. OpenSSL Information Disclosure Vulnerability. Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash. Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution. Adobe Reader and Acrobat contain a use-after-free vulnerability which can allow for code execution. VMware ESXi OpenSLP contains a use-after-free vulnerability that allows an attacker residing in the management network with access to port 427 to perform remote code execution. Multiple Network-Attached Storage (NAS) Devices, Zyxel Multiple NAS Devices OS Command Injection Vulnerability. Google Chromium Race Condition Vulnerability. A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. Exploitation could allow an attacker to download the router configuration or detailed diagnostic information. Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction. Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability. JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/. Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability. Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution. Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service. For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Google Chromium V8 contains an out-of-bounds read vulnerability. CVE - Search Results Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability. VMware vCenter Server Information Disclosure Vulnerability. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013. Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. Linux Kernel contains a flaw in the packet socket (AF_PACKET) implementation which could lead to incorrectly freeing memory. . Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution. Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. https://www.fortiguard.com/psirt/FG-IR-22-377, Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability. A remote code execution vulnerability exists when Microsoft Windows MSDT is called using the URL protocol from a calling application. Google Chromium Use-After-Free Vulnerability. This incorrect implementation results in memory corruption, leading to kernel panic. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. WebKitGTK Memory Corruption Vulnerability. Microsoft Office MSCOMCTL.OCX Remote Code Execution Vulnerability. Microsoft IME Japanese Privilege Escalation Vulnerability. A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52, Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability. In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution. Google Chromium V8 Engine contains an incorrect implementation vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. Oracle JRE Remote Code Execution Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41073, Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability. Successful exploitation allows an attacker to run code in kernel mode. LifeRay CMS Fckeditor Arbitrary File Upload Vulnerability. Citrix Workspace Application and Receiver for Windows contains remote code execution vulnerability resulting from local drive access preferences not being enforced into the clients' local drives. The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution. Fortinet FortiOS and FortiADC contain an improper access control vulnerability which allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server. Plan and track work This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager. Adobe Acrobat and Reader Universal 3D Memory Corruption Vulnerability. A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users. SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability. Cisco IOS and IOS XE Software Internet Key Exchange Denial-of-Service Vulnerability. Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context. Liferay - What CMS? Realtek AP-Router SDK Buffer Overflow Vulnerability. Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Spring Cloud Configuration (Config) Server, VMware Tanzu Spring Cloud Config Directory Traversal Vulnerability. Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution. For Adobe Acrobat and Reader, apply updates per vendor instructions. Aviatrix Controller Unrestricted Upload of File. Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution. WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site. A privilege elevation vulnerability exists in the POSIX subsystem. Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability. Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands. Microsoft Windows SMB Information Disclosure Vulnerability. Linux kernel fails to check all 64 bits of attr.config passed by user space, resulting to out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). Google Chromium V8 Engine contains an improper input validation vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls. Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability. Mozilla Firefox Security Feature Bypass Vulnerability. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. contains an information disclosure vulnerability in the Internet Key Exchange version 1 (IKEv1) that could allow an attacker to retrieve memory contents. A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Palo Alto Networks PAN-OS Remote Code Execution Vulnerability. Microsoft Windows Scripting Engine Memory Corruption Vulnerability. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution. Use-after-free vulnerability in Adobe Flash Player Windows and OS and Linux allows remote attackers to execute arbitrary code. Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server. Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability which allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
Grilling Frozen Burgers, What Are The Control Measures Of Mosquito, Articles L