Source
ghsa
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.
An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.
**Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder. With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands remotely. Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 ----- Reported by Marco O. (segfault)
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp
In versions before `0.15.0`, `@workos-inc/authkit-remix` exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the `authkitLoader`. This caused them to be rendered into the browser HTML. ### Impact Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible. ### Patches Patched in [https://github.com/workos/authkit-remix/releases/tag/v0.15.0](https://github.com/workos/authkit-remix/releases/tag/v0.15.0) In patched versions: - `sealedSession` and `accessToken` are no longer returned by default from the `authkitLoader`. - A secure server-side mechanism is provided to fetch an access token as needed.
In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `accessToken` by returning them from the `authkitLoader`. This caused them to be rendered into the browser HTML. ### Impact This information disclosure could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible. ### Patches Patched in [https://github.com/workos/authkit-react-router/releases/tag/v0.7.0](https://github.com/workos/authkit-react-router/releases/tag/v0.7.0) In patched versions: - `sealedSession` and `accessToken` are no longer returned by default from the `authkitLoader`. - A secure server-side mechanism is provided to fetch an access token as needed.
### Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. ### Patches OpenBao v2.3.2 will patch this issue. ### Workarounds LDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly. ### References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: - https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092 - https://nvd.nist.gov/vuln/detail/CVE-2025-6013
### Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. ### Patches OpenBao v2.3.2 will patch this issue. ### Workarounds Use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/ ### References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: - https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038 - https://nvd.nist.gov/vuln/detail/CVE-2025-6015
### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. ### Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change. ### Workarounds TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint. ### References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: - https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036 - https://nvd.nist.gov/vuln/detail/CVE-2025-6014
### Impact When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. ### Patches OpenBao v2.3.2 will patch this issue. ### Workarounds Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/ ### References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: - https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034 - https://nvd.nist.gov/vuln/detail/CVE-2025-6011 Barring further information, this is also assumed to cover and remediate the following additional vulnerability: - https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095 - https://nvd...