Improper Authentication

com.liferay, com.liferay.portal.cluster.multiple are vulnerable to Improper Authentication. The vulnerability is due to insufficient authentication of cluster messages, which allows a remote attacker to send unauthenticated malicious data that is processed as trusted data by the affected systems...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Objects module. An authenticated attacker with Instance Administrator privileges can execute arbitrary code by submitting specially crafted Groovy scripts through Object Actions or Validations. Remediation...

Insecure Direct Object Reference (IDOR)

com.liferay, com.liferay.object.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control between virtual instances, which allows an attacker to access, create, edit, or relate data and object entries/definitions across different virtu...

Cross-Site Scripting (Reflected XSS)

com.liferay, com.liferay.layout.taglib is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper validation of the embedded message field in the form container, which allows an attacker to inject and execute arbitrary JavaScript in a victim’s browser...

Reflected Cross-Site Scripting (Reflected XSS)

com.liferay.portal, release.portal.bom is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper validation of the snippet parameter, which allows an attacker to inject and execute arbitrary JavaScript code in a victim’s browser...

User Enumeration

com.liferay, com.liferay.login.web is vulnerable to User Enumeration. The vulnerability is due to improper handling of account creation requests on the "create account" page, which allows an attacker to determine if a specific account exists in the application...

Reflected Cross-Site Scripting (Reflected XSS)

com.liferay, com.liferay.layout.taglib is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper sanitization of user input in the content page's name field, which allows an attacker to inject and execute malicious JavaScript code when a user views the "document Vi...

Information Exposure

Overview com.liferay:com.liferay.login.web is a package for liferay. Affected versions of this package are vulnerable to Information Exposure via the account creation process. An attacker can determine whether specific user accounts exist by submitting crafted requests and analyzing the responses...

com.liferay:com.liferay.wiki.layout.prototype (>=1.0.0 <=1.0.14) potentially affected by CVE-2023-42628 via com.liferay:com.liferay.wiki.web (>=1.0.0 <=3.0.0)

com.liferay:com.liferay.wiki.web MAVEN version =1.0.0, =1.0.0, =1.0.14 Source cves: CVE-2023-42628 Source advisory: OSV:GHSA-HV45-R2F5-FMHJ...