Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:liferay:liferay_portal:7.3.1:
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-25148 |
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content. Published: February 07, 2024; 11:15:08 PM -0500 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2024-25146 |
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used. Published: February 07, 2024; 11:15:08 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2024-25144 |
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame. Published: February 07, 2024; 11:15:07 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2024-25145 |
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application. Published: February 07, 2024; 10:15:09 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-42628 |
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field. Published: October 17, 2023; 8:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-33945 |
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded. Published: May 24, 2023; 12:15:09 PM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-33939 |
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. Published: May 24, 2023; 10:15:09 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-33938 |
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field. Published: May 24, 2023; 10:15:09 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-42132 |
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. Published: November 14, 2022; 9:15:12 PM -0500 |
V3.1: 5.9 MEDIUM V2.0:(not available) |
CVE-2022-42131 |
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. Published: November 14, 2022; 9:15:12 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-42130 |
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. Published: November 14, 2022; 9:15:11 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-42121 |
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. Published: November 14, 2022; 8:15:12 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-42118 |
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. Published: November 14, 2022; 8:15:12 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-42111 |
A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. Published: November 14, 2022; 8:15:10 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-42110 |
A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. Published: November 14, 2022; 7:15:12 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-42112 |
A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. Published: October 18, 2022; 5:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-38902 |
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic. Published: October 13, 2022; 9:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-41414 |
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. Published: October 07, 2022; 2:15:22 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-28980 |
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. Published: September 21, 2022; 9:15:11 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-28977 |
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. Published: September 21, 2022; 9:15:10 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |