Vulnerabilities > Liferay > Liferay Portal > 7.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-15 | CVE-2022-42110 | Cross-site Scripting vulnerability in Liferay Portal A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
| 2022-10-07 | CVE-2022-41414 | Incorrect Default Permissions vulnerability in Liferay Portal An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. | 5.3 |
| 2022-09-22 | CVE-2022-28980 | Cross-site Scripting vulnerability in Liferay Portal Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. | 6.1 |
| 2022-04-25 | CVE-2022-26596 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2 Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names. | 4.3 |
| 2022-03-03 | CVE-2021-38263 | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script. | 4.3 |
| 2022-03-03 | CVE-2021-38269 | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. | 3.5 |
| 2022-03-02 | CVE-2021-38266 | Unspecified vulnerability in Liferay Portal The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP. | 5.0 |
| 2022-03-02 | CVE-2021-38268 | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API. | 6.5 |
| 2022-01-28 | CVE-2020-28884 | OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. | 7.2 |
| 2022-01-28 | CVE-2020-28885 | OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. | 7.2 |