Vulnerabilities > Liferay > Liferay Portal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-20 | CVE-2020-15841 | Insufficiently Protected Credentials vulnerability in Liferay DXP and Liferay Portal Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. | 4.3 |
| 2020-06-10 | CVE-2020-13445 | Injection vulnerability in Liferay Portal In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates. | 6.5 |
| 2020-06-10 | CVE-2020-13444 | Unspecified vulnerability in Liferay Portal Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | 4.0 |
| 2020-03-20 | CVE-2020-7961 | Deserialization of Untrusted Data vulnerability in Liferay Portal Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | 7.5 |
| 2020-01-28 | CVE-2020-7934 | Cross-site Scripting vulnerability in Liferay Portal In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. | 3.5 |
| 2019-10-04 | CVE-2019-16891 | Deserialization of Untrusted Data vulnerability in Liferay Portal Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | 9.8 |
| 2019-09-09 | CVE-2019-16147 | Cross-site Scripting vulnerability in Liferay Portal Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib. | 4.3 |
| 2019-06-03 | CVE-2019-6588 | Cross-site Scripting vulnerability in Liferay Portal In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. | 2.6 |
| 2019-04-22 | CVE-2019-11444 | OS Command Injection vulnerability in Liferay Portal 7.1.2 An issue was discovered in Liferay Portal CE 7.1.2 GA3. | 7.2 |
| 2018-05-07 | CVE-2018-10795 | Unrestricted Upload of File with Dangerous Type vulnerability in Liferay Portal Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. | 8.8 |