Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/65212?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/65212?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4", "type": "maven", "namespace": "com.liferay.portal", "name": "release.portal.bom", "version": "7.4.3.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.0.3-ga4", "latest_non_vulnerable_version": "7.4.3.120", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45258?format=api", "vulnerability_id": "VCID-patg-tmcj-3qbh", "summary": "Liferay portal has unauthorized access to object definition via search\nThe Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.", "references": [ { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947", "reference_id": "CVE-2023-33947", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33947", "reference_id": "CVE-2023-33947", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33947" }, { "reference_url": "https://github.com/advisories/GHSA-769c-p92r-xgxj", "reference_id": "GHSA-769c-p92r-xgxj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-769c-p92r-xgxj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65216?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.61", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.61" } ], "aliases": [ "CVE-2023-33947", "GHSA-769c-p92r-xgxj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-patg-tmcj-3qbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45256?format=api", "vulnerability_id": "VCID-v633-mycj-6uh6", "summary": "Liferay portal unauthorized access to objects via OAuth 2 scope\nThe Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.", "references": [ { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946", "reference_id": "CVE-2023-33946", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33946", "reference_id": "CVE-2023-33946", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33946" }, { "reference_url": "https://github.com/advisories/GHSA-2868-ff44-43qv", "reference_id": "GHSA-2868-ff44-43qv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2868-ff44-43qv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65213?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.49", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.49" } ], "aliases": [ "CVE-2023-33946", "GHSA-2868-ff44-43qv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v633-mycj-6uh6" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47088?format=api", "vulnerability_id": "VCID-xuaz-p5q4-8beh", "summary": "Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing\nThe Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151", "reference_id": "CVE-2024-25151", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25151", "reference_id": "CVE-2024-25151", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25151" }, { "reference_url": "https://github.com/advisories/GHSA-hgr6-6hhw-883f", "reference_id": "GHSA-hgr6-6hhw-883f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hgr6-6hhw-883f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65212?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-patg-tmcj-3qbh" }, { "vulnerability": "VCID-v633-mycj-6uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4" } ], "aliases": [ "CVE-2024-25151", "GHSA-hgr6-6hhw-883f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xuaz-p5q4-8beh" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4" }