Vulnerabilities > Liferay > Digital Experience Platform > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-10-17 CVE-2023-42627 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.
network
low complexity
liferay CWE-79
5.4
5.4
2023-10-17 CVE-2023-42628 Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
network
low complexity
liferay CWE-79
5.4
5.4
2023-10-17 CVE-2023-44310 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.
network
low complexity
liferay CWE-79
5.4
5.4
2023-10-17 CVE-2023-44311 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.
network
low complexity
liferay CWE-79
6.1
6.1
2023-10-17 CVE-2023-42629 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
network
low complexity
liferay CWE-79
5.4
5.4
2023-10-17 CVE-2023-44309 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
network
low complexity
liferay CWE-79
5.4
5.4
2023-10-17 CVE-2023-42497 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
network
low complexity
liferay CWE-79
6.1
6.1
2023-08-02 CVE-2023-3426 Missing Authorization vulnerability in Liferay Digital Experience Platform and Liferay Portal
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
network
low complexity
liferay CWE-862
4.3
4.3
2023-05-24 CVE-2023-33944 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
network
low complexity
liferay CWE-79
6.1
6.1
2023-05-24 CVE-2023-33946 Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
network
low complexity
liferay
4.3
4.3