Vulnerabilities > Liferay

DATE CVE VULNERABILITY TITLE RISK
2021-08-03 CVE-2021-33324 Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
network
low complexity
liferay CWE-276
4.3
2021-08-03 CVE-2021-33325 Cleartext Storage of Sensitive Information vulnerability in Liferay DXP 7.0
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
network
low complexity
liferay CWE-312
4.9
2021-08-03 CVE-2021-33326 Cross-site Scripting vulnerability in Liferay DXP 7.0
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.
network
low complexity
liferay CWE-79
6.1
2021-08-03 CVE-2021-33327 Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
network
low complexity
liferay CWE-276
4.3
2021-08-03 CVE-2021-33328 Cross-site Scripting vulnerability in Liferay DXP 7.0
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
network
low complexity
liferay CWE-79
5.4
2021-08-03 CVE-2021-33330 Unspecified vulnerability in Liferay DXP and Liferay Portal
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
network
low complexity
liferay
4.3
2021-06-09 CVE-2021-29049 Cross-site Scripting vulnerability in Liferay DXP 7.0
Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29048 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29051 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.
network
low complexity
liferay CWE-79
6.1
2021-05-17 CVE-2021-29052 Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
network
low complexity
liferay CWE-276
4.3