Lucas Machado

Name of the Vulnerable Software and Affected Versions: Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 through 11.4 Description: A stored Cross-site Scripting issue exists in Esri Portal for ArcGIS Enterprise Sites that may allow a remote, authenticated attacker to inject a malicious file containing an XSS script. When loaded, this script could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, and it could lead to the disclosure of a privileged token, potentially granting the attacker full control of the Portal. Recommendations: Update Esri Portal for ArcGIS Enterprise Sites to a version prior to 10.9.1 or after 11.4.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.2.0 through 7.4.3.129 Liferay DXP versions 2024.Q4.1 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.9 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay Portal versions 7.4 GA through update 92 Liferay Portal versions 7.3 GA through update 36 Liferay Portal versions 7.2 GA through fix pack 20 **Description** A stored cross-site scripting (XSS) issue exists with radio button type custom fields, allowing remote authenticated attackers to inject malicious JavaScript into a page. **Recommendations** For Liferay Portal versions 7.2.0 through 7.4.3.129, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q4.1 through 2024.Q4.7, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q3.1 through 2024.Q3.9, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q2.0 through 2024.Q2.13, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q1.1 through 2024.Q1.12, update to a version that includes the fix for this issue. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, update to a version that includes the fix for this issue. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.10, update to a version that includes the fix for this issue. For Liferay Portal versions 7.4 GA through update 92, apply update 93 or later. For Liferay Portal versions 7.3 GA through update 36, apply update 37 or later. For Liferay Portal versions 7.2 GA through fix pack 20, apply fix pack 21 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Sterling Partner Engagement Manager versions 6.1.2, 6.2.0, and 6.2.2 **Description** The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. This is due to a stored cross-site scripting vulnerability. **Recommendations** For versions 6.1.2, 6.2.0, and 6.2.2, consider disabling the Web UI functionality until a patch is available to prevent the embedding of arbitrary JavaScript code. Restrict access to the Web UI to minimize the risk of exploitation. Avoid using the Web UI for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.