Vulnerabilities > Liferay > Liferay Portal

DATE CVE VULNERABILITY TITLE RISK
2024-02-08 CVE-2024-25144 Excessive Iteration vulnerability in Liferay DXP 7.2/7.3/7.4
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.
network
low complexity
liferay CWE-834
6.5
2024-02-08 CVE-2024-25146 Information Exposure Through Discrepancy vulnerability in Liferay DXP and Liferay Portal
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs.
network
low complexity
liferay CWE-203
5.3
2024-02-08 CVE-2024-25148 Unspecified vulnerability in Liferay DXP and Liferay Portal
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user.
network
low complexity
liferay
8.1
2024-02-07 CVE-2024-25145 Cross-site Scripting vulnerability in Liferay DXP
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
network
low complexity
liferay CWE-79
5.4
2023-11-17 CVE-2023-47797 Cross-site Scripting vulnerability in Liferay Portal
Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.
network
low complexity
liferay CWE-79
6.1
2023-10-17 CVE-2023-42627 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.
network
low complexity
liferay CWE-79
5.4
2023-10-17 CVE-2023-42628 Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
network
low complexity
liferay CWE-79
5.4
2023-10-17 CVE-2023-44310 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.
network
low complexity
liferay CWE-79
5.4
2023-10-17 CVE-2023-44311 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.
network
low complexity
liferay CWE-79
6.1
2023-10-17 CVE-2023-42629 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
network
low complexity
liferay CWE-79
5.4