Vulnerabilities > Liferay > Liferay Portal > 7.1.0

DATE CVE VULNERABILITY TITLE RISK
2024-02-07 CVE-2024-25145 Cross-site Scripting vulnerability in Liferay DXP
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
network
low complexity
liferay CWE-79
5.4
2023-10-17 CVE-2023-42628 Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
network
low complexity
liferay CWE-79
5.4
2023-05-24 CVE-2023-33949 Insecure Default Initialization of Resource vulnerability in Liferay Digital Experience Platform and Liferay Portal
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control.
network
low complexity
liferay CWE-1188
7.5
2023-05-24 CVE-2023-33939 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
network
low complexity
liferay CWE-79
5.4
2023-05-24 CVE-2023-33937 Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.
network
low complexity
liferay CWE-79
5.4
2022-11-15 CVE-2022-42130 Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
network
low complexity
liferay CWE-276
4.3
2022-11-15 CVE-2022-42131 Improper Certificate Validation vulnerability in Liferay Digital Experience Platform and Liferay Portal
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers.
network
high complexity
liferay CWE-295
4.8
2022-11-15 CVE-2022-42132 Information Exposure vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
network
high complexity
liferay CWE-200
5.9
2022-11-15 CVE-2022-42118 Cross-site Scripting vulnerability in Liferay Portal
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.
network
low complexity
liferay CWE-79
6.1
2022-11-15 CVE-2022-42121 SQL Injection vulnerability in Liferay DXP and Liferay Portal
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
network
low complexity
liferay CWE-89
8.8