Lucene search

K

28 matches found

CVE
CVE
added 2024/02/20 5:15 a.m.8599 views

CVE-2022-45320

Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page.

6.3CVSS6.5AI score0.00526EPSS
CVE
CVE
added 2020/03/20 7:15 p.m.1657 views

CVE-2020-7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

9.8CVSS9.7AI score0.94412EPSS
In wild
CVE
CVE
added 2019/09/09 9:15 p.m.175 views

CVE-2019-16147

Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.

6.1CVSS5.8AI score0.0024EPSS
Web
CVE
CVE
added 2020/07/20 2:15 a.m.110 views

CVE-2020-15841

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

8.8CVSS8.6AI score0.00337EPSS
CVE
CVE
added 2020/07/20 2:15 a.m.108 views

CVE-2020-15842

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

8.1CVSS8.3AI score0.0057EPSS
CVE
CVE
added 2020/09/01 2:15 p.m.105 views

CVE-2020-24554

The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.

7.5CVSS7.4AI score0.00643EPSS
CVE
CVE
added 2020/09/24 3:15 p.m.100 views

CVE-2020-15840

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

5.3CVSS5.3AI score0.00249EPSS
CVE
CVE
added 2020/09/22 6:15 p.m.98 views

CVE-2020-15839

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.

6.5CVSS6.1AI score0.01076EPSS
CVE
CVE
added 2024/02/20 9:15 a.m.93 views

CVE-2024-25605

The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers...

5.3CVSS5.2AI score0.00243EPSS
CVE
CVE
added 2021/08/03 9:15 p.m.85 views

CVE-2021-33333

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.

6.5CVSS6AI score0.00285EPSS
CVE
CVE
added 2024/02/21 2:15 a.m.81 views

CVE-2024-25147

Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML v...

9.6CVSS7.5AI score0.00192EPSS
CVE
CVE
added 2024/02/21 2:15 a.m.80 views

CVE-2024-25602

Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject...

9CVSS7AI score0.00152EPSS
CVE
CVE
added 2024/02/21 2:15 a.m.78 views

CVE-2024-25152

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web ...

9CVSS7.2AI score0.00152EPSS
CVE
CVE
added 2024/02/20 9:15 a.m.78 views

CVE-2024-25604

Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit the...

6.5CVSS6.2AI score0.00183EPSS
CVE
CVE
added 2021/08/03 7:15 p.m.71 views

CVE-2021-33326

Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.

6.1CVSS6AI score0.00418EPSS
CVE
CVE
added 2022/09/22 1:15 a.m.70 views

CVE-2022-28980

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.

6.1CVSS6.1AI score0.00234EPSS
CVE
CVE
added 2024/02/21 2:15 a.m.70 views

CVE-2024-25601

Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to...

9CVSS7AI score0.00152EPSS
CVE
CVE
added 2021/08/03 7:15 p.m.67 views

CVE-2021-33322

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token...

7.5CVSS7.6AI score0.00223EPSS
CVE
CVE
added 2024/02/20 10:15 a.m.66 views

CVE-2024-25609

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to re...

6.1CVSS6.3AI score0.00509EPSS
CVE
CVE
added 2024/02/20 7:15 a.m.64 views

CVE-2024-25149

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, wh...

5.4CVSS5.2AI score0.00259EPSS
CVE
CVE
added 2024/02/20 1:15 p.m.58 views

CVE-2024-25610

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users...

9CVSS7.9AI score0.00139EPSS
CVE
CVE
added 2024/02/20 8:15 a.m.57 views

CVE-2024-25150

Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's...

4.3CVSS4.2AI score0.00237EPSS
CVE
CVE
added 2021/08/03 7:15 p.m.55 views

CVE-2021-33320

The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emai...

4.3CVSS4.3AI score0.00392EPSS
CVE
CVE
added 2024/02/20 10:15 a.m.55 views

CVE-2024-25608

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote ...

6.1CVSS6.3AI score0.00469EPSS
CVE
CVE
added 2021/08/03 7:15 p.m.53 views

CVE-2021-33325

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the datab...

4.9CVSS4.9AI score0.00123EPSS
CVE
CVE
added 2024/02/20 9:15 a.m.49 views

CVE-2024-25606

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive inf...

8.7CVSS7.4AI score0.00135EPSS
CVE
CVE
added 2018/01/02 11:29 p.m.48 views

CVE-2017-1000425

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

6.1CVSS6AI score0.0026EPSS
Web
CVE
CVE
added 2024/02/07 3:15 p.m.36 views

CVE-2024-25143

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authentica...

6.5CVSS6.1AI score0.00745EPSS