Vulnerabilities > Liferay
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-24 | CVE-2023-33946 | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page. | 4.3 |
| 2023-05-24 | CVE-2023-33947 | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. | 4.3 |
| 2023-05-24 | CVE-2023-33948 | Missing Authorization vulnerability in Liferay Digital Experience Platform and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL. | 7.5 |
| 2023-05-24 | CVE-2023-33941 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. | 6.1 |
| 2023-05-24 | CVE-2023-33942 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field. | 5.4 |
| 2023-05-24 | CVE-2023-33943 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field. | 5.4 |
| 2023-05-24 | CVE-2023-33938 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field. | 6.1 |
| 2023-05-24 | CVE-2023-33939 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. | 5.4 |
| 2023-05-24 | CVE-2023-33940 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL. | 5.4 |
| 2023-05-24 | CVE-2023-33937 | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. | 5.4 |