In Liferay Portal versions 7.4.0 through 7.4.3.103 and Liferay DXP versions from 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and 7.3 update 29 through update 35 a high severity vulnerability CVE-2024-26273 was detected. This vulnerability allows attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter. To fix this issue, users should update Liferay Portal to version 7.4.3.104 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-26273.
In Liferay Portal versions 7.4.3.75 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92, and 7.3 update 32 through update 36 a high severity vulnerability CVE-2024-26271 was detected. This CSRF vulnerability in the My Account widget allows attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. To address this issue, users should update Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-26271.
In Liferay Portal versions 7.0.0 to 7.4.3.101 and Liferay DXP versions 2023.Q3.1 to 2023.Q3.4 a critical severity vulnerability CVE-2024-8980 was detected. This vulnerability allows attackers to execute arbitrary Groovy scripts via crafted URLs due to insufficient CSRF protection. To fix this issue, users must upgrade to a patched version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8980.
Read more CMS
In GitLab CE/EE versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1 a high severity vulnerability CVE-2024-8312 was detected. This vulnerability allows attackers to inject HTML into the Global Search field on a diff view, leading to cross-site scripting (XSS) attacks. To fix this issue, users should update GitLab to versions 17.5.1, 17.4.3, and 17.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8312.
Read more Developer Tools
In GitLab CE/EE all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1 a high severity vulnerability CVE-2024-6826 was detected. This vulnerability allows attackers to cause a denial of service (DoS) by importing a maliciously crafted XML manifest file into GitLab, potentially leading to service disruption. To fix this issue, users should update GitLab to versions 17.5.1, 17.4.3, and 17.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6826.
Read more Developer Tools
In Liferay Portal versions 7.3.2 through 7.4.3.107 and Liferay DXP versions from 2023.Q4.0 through 2023.Q4.2 and 2023.Q3.1 through 2023.Q3.5 a high severity vulnerability CVE-2024-26272 was detected. This vulnerability allows attackers to take control of the system, change passwords, shut it down, and run harmful commands remotely. To fix this issue, users should upgrade the Liferay Portal to version 7.4.3.108, Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-26272.
Read more CMS
In NGINX versions prior to 2.0.0-beta.36 a medium severity vulnerability CVE-2024-49367 was found. This vulnerability in Nginx UI allows attackers to control the log path and, with directory traversal, access sensitive files on the server, posing a serious security risk. To address this issue, upgrade to version 2.0.0-beta.36. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-49367.
Read more Application Development
In Liferay Portal versions 7.3.2 to 7.4.3.111 and Liferay DXP versions 2023.Q4.0 to 2023.Q4.5, 2023.Q3.1 to 2023.Q3.8, 7.4 GA to update 92, and 7.3 GA to update 36 a critical vulnerability CVE-2024-38002 was detected. This vulnerability allows attackers to modify workflow definitions and execute arbitrary code (RCE) by exploiting missing permission checks in the workflow component via the headless API. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38002.
Read more CMS
In OpenShift version 4 a medium severity vulnerability CVE-2024-50311 was detected. This vulnerability allows attackers to exploit the GraphQL batching functionality. The flaw arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-50311.
Read more Developer Tools