Vulnerabilities > Liferay
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-15 | CVE-2022-42122 | SQL Injection vulnerability in Liferay DXP and Liferay Portal A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. | 9.8 |
| 2022-11-15 | CVE-2022-42123 | Path Traversal vulnerability in Liferay Digital Experience Platform and Liferay Portal A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin. | 7.5 |
| 2022-11-15 | CVE-2022-42124 | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. | 7.5 |
| 2022-11-15 | CVE-2022-42125 | Path Traversal vulnerability in Liferay Digital Experience Platform and Liferay Portal Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. | 7.5 |
| 2022-11-15 | CVE-2022-42126 | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI. | 4.3 |
| 2022-11-15 | CVE-2022-42127 | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page. | 5.3 |
| 2022-11-15 | CVE-2022-42128 | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API. | 5.3 |
| 2022-11-15 | CVE-2022-42110 | Cross-site Scripting vulnerability in Liferay Portal A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
| 2022-10-19 | CVE-2022-38901 | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | 5.4 |
| 2022-10-18 | CVE-2022-42112 | Cross-site Scripting vulnerability in Liferay DXP A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. | 5.4 |