Search Results (362544 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-29052 1 Liferay 2 Dxp, Liferay Portal 2024-11-21 4.3 Medium
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
CVE-2021-29047 1 Liferay 2 Dxp, Liferay Portal 2024-11-21 7.5 High
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-29046 1 Liferay 2 Dxp, Liferay Portal 2024-11-21 6.1 Medium
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
CVE-2021-29045 1 Liferay 2 Dxp, Liferay Portal 2024-11-21 6.1 Medium
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.
CVE-2021-29041 1 Liferay 1 Dxp 2024-11-21 6.5 Medium
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the other user's TOTP shared secret.
CVE-2021-29039 1 Liferay 1 Liferay Portal 2024-11-21 6.1 Medium
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2021-29033 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI.
CVE-2021-29032 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI.
CVE-2021-29031 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI.
CVE-2021-29030 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI.
CVE-2021-29029 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI.
CVE-2021-29028 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI.
CVE-2021-29027 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI.
CVE-2021-29026 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI.
CVE-2021-29025 1 Bitweaver 1 Bitweaver 2024-11-21 4.8 Medium
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI.
CVE-2021-29024 1 Invoiceplane 1 Invoiceplane 2024-11-21 7.5 High
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.
CVE-2021-29023 1 Invoiceplane 1 Invoiceplane 2024-11-21 5.3 Medium
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
CVE-2021-29022 1 Invoiceplane 1 Invoiceplane 2024-11-21 5.3 Medium
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVE-2021-29012 1 Dmasoftlab 1 Dma Radius Manager 2024-11-21 9.8 Critical
DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.
CVE-2021-29011 1 Dmasoftlab 1 Dma Radius Manager 2024-11-21 6.1 Medium
DMA Softlab Radius Manager 4.4.0 is affected by Cross Site Scripting (XSS) via the description, name, or address field (under admin.php).