Vulnerabilities > Liferay

DATE CVE VULNERABILITY TITLE RISK
2021-05-17 CVE-2021-29052 Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
network
low complexity
liferay CWE-276
4.3
2021-05-17 CVE-2021-29043 Insufficiently Protected Credentials vulnerability in Liferay DXP 7.0
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
network
high complexity
liferay CWE-522
5.9
2021-05-17 CVE-2021-29044 Cross-site Scripting vulnerability in Liferay DXP 7.0
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29045 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29046 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29053 SQL Injection vulnerability in Liferay DXP and Liferay Portal
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.
network
low complexity
liferay CWE-89
8.8
2021-05-16 CVE-2021-29040 Information Exposure Through an Error Message vulnerability in Liferay DXP 7.0
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.
network
low complexity
liferay CWE-209
5.3
2021-05-16 CVE-2021-29041 Unspecified vulnerability in Liferay DXP 7.0
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the other user's TOTP shared secret.
network
low complexity
liferay
6.5
2021-05-16 CVE-2021-29047 Improper Authentication vulnerability in Liferay DXP and Liferay Portal
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
network
low complexity
liferay CWE-287
7.5
2021-05-16 CVE-2021-29039 Cross-site Scripting vulnerability in Liferay Portal 7.3.4
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
network
low complexity
liferay CWE-79
6.1