Vulnerabilities > Liferay > Liferay Portal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-17 | CVE-2021-29046 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter. | 4.3 |
| 2021-05-17 | CVE-2021-29053 | SQL Injection vulnerability in Liferay DXP and Liferay Portal Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. | 6.5 |
| 2021-05-16 | CVE-2021-29040 | Information Exposure Through an Error Message vulnerability in Liferay DXP 7.0 The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs. | 5.0 |
| 2021-05-16 | CVE-2021-29047 | Improper Authentication vulnerability in Liferay DXP 7.0 The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer. | 5.0 |
| 2021-05-16 | CVE-2021-29039 | Cross-site Scripting vulnerability in Liferay Portal 7.3.4 Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name. | 4.3 |
| 2021-01-07 | CVE-2020-25476 | Cross-site Scripting vulnerability in Liferay Portal 7.1.3/7.2.1 Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. | 4.3 |
| 2020-09-24 | CVE-2020-15840 | Unspecified vulnerability in Liferay DXP and Liferay Portal In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs. | 5.0 |
| 2020-09-22 | CVE-2020-15839 | Unrestricted Upload of File with Dangerous Type vulnerability in Liferay Digital Experience Platform and Liferay Portal Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. | 4.0 |
| 2020-09-01 | CVE-2020-24554 | Open Redirect vulnerability in Liferay Portal The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. | 5.0 |
| 2020-07-20 | CVE-2020-15842 | Deserialization of Untrusted Data vulnerability in Liferay DXP 7.0 Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | 6.8 |