Vulnerabilities > Liferay > Liferay Portal > 7.3.5
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-28 | CVE-2020-28884 | OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. | 7.2 |
| 2022-01-28 | CVE-2020-28885 | OS Command Injection vulnerability in Liferay Portal 7.2/7.3.5 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. | 7.2 |
| 2021-08-03 | CVE-2021-33328 | Cross-site Scripting vulnerability in Liferay DXP 7.0 Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | 5.4 |
| 2021-05-17 | CVE-2021-29048 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter. | 6.1 |
| 2021-05-17 | CVE-2021-29051 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter. | 6.1 |
| 2021-05-17 | CVE-2021-29052 | Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls. | 4.3 |
| 2021-05-17 | CVE-2021-29043 | Insufficiently Protected Credentials vulnerability in Liferay DXP 7.0 The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. | 5.9 |
| 2021-05-17 | CVE-2021-29044 | Cross-site Scripting vulnerability in Liferay DXP 7.0 Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter. | 6.1 |
| 2021-05-17 | CVE-2021-29045 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter. | 6.1 |
| 2021-05-17 | CVE-2021-29046 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter. | 6.1 |