Shailesh Suthar

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.131 Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay Portal 7.4 GA through update 92 Description: A reflected cross-site scripting (XSS) vulnerability exists that allows a remote, non-authenticated attacker to inject JavaScript into the `google gadget`. Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.131 should be updated. Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 should be updated. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 should be updated. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 should be updated. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 should be updated. Liferay Portal 7.4 GA through update 92 should be updated.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.4.2 **Description** The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks. This is achieved by providing a zero value in the first octet of an IPv4 address in the `u` parameter to the "/wp-admin/press-this.php" API endpoint. **Recommendations** For versions prior to 4.4.2, update to version 4.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/press-this.php" API endpoint until the update is applied. Avoid using the `u` parameter in the affected API endpoint until the issue is resolved.