25 matches found
CVE-2023-33948
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
CVE-2022-38901
A Cross-site scripting XSS vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file...
Liferay Portal 7.4.x < 7.4.3.102 XSS
The version of Liferay Portal installed on the remote host is prior to 7.4.3.102. It is, therefore, affected by a vulnerability as referenced in the advisory. - Stored cross-site scripting XSS vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay...
Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting
Stored cross-site scripting XSS vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...
GHSA-Q2CV-7J58-RFMJ Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting
Stored cross-site scripting XSS vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...
CVE-2023-47795
Stored cross-site scripting XSS vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...
PT-2024-13495 · Liferay · Liferay Dxp +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.18 through 7.4.3.101 Liferay DXP 2023.Q3 before patch 6 Liferay DXP 7.4 update 18 through 92 Description: A stored cross-site scripting XSS issue exists in the Document and Media widget, allowing remote...
GHSA-87M3-6QJ3-P3XH Liferay Portal denial of service (memory consumption)
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote...
Liferay Portal denial of service (memory consumption)
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote...
CVE-2024-25143
CVE-2024-25143 affects Liferay Portal 7.2.0–7.3.6 and Liferay DXP 7.3 before SP3, and 7.2 before FP13; the issue arises when generating previews for Document and Media widgets, where resource consumption is not limited, leading to possible DoS via crafted PNG images. Exploitation status is not de...
CVE-2024-25143
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote...
BIT-LIFERAY-2023-33948
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
Liferay Portal 7.4.3.67 < 7.4.3.68 Authentication Bypass
The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL. Note that Nessus has not tested for this issue but has inste...
Missing authorization in Liferay portal
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
CVE-2023-33948
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
CVE-2023-33948
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
CVE-2023-33948
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL...
CVE-2023-33948
The CVE-2023-33948 entry concerns the Dynamic Data Mapping module in Liferay Portal 7.4.3.67 and Liferay DXP 7.4 update 67, where Document and Media files can be downloaded from a Form without proper restrictions, allowing remote attackers to retrieve arbitrary files via crafted URLs. Connected s...
PT-2023-24590 · Liferay · Liferay Dxp +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal version 7.4.3.67 Liferay DXP 7.4 update 67 Description: The issue allows remote attackers to download any file from Document and Media via a crafted URL, due to the Dynamic Data Mapping module not limiting Document and Media...
Liferay Portal和Liferay DXP 安全漏洞
Liferay Portal and Liferay DXP are both products of Liferay Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP ...