Vulnerabilities > Liferay

DATE CVE VULNERABILITY TITLE RISK
2022-10-18 CVE-2022-42117 Cross-site Scripting vulnerability in Liferay DXP 7.0
A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.
network
low complexity
liferay CWE-79
6.1
2022-10-13 CVE-2022-38902 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
network
low complexity
liferay CWE-79
5.4
2022-10-07 CVE-2022-41414 Incorrect Default Permissions vulnerability in Liferay Portal
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
network
low complexity
liferay CWE-276
5.3
2022-09-22 CVE-2022-28977 Open Redirect vulnerability in Liferay DXP and Liferay Portal
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
network
low complexity
liferay CWE-601
6.1
2022-09-22 CVE-2022-28980 Cross-site Scripting vulnerability in Liferay Portal
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
network
low complexity
liferay CWE-79
6.1
2022-09-22 CVE-2022-28981 Path Traversal vulnerability in Liferay Portal 7.4.0/7.4.1/7.4.2
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
network
low complexity
liferay CWE-22
7.5
2022-09-22 CVE-2022-38512 Missing Authorization vulnerability in Liferay DXP and Liferay Portal
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.
network
low complexity
liferay CWE-862
6.5
2022-09-22 CVE-2022-28978 Cross-site Scripting vulnerability in Liferay DXP 7.0/7.2
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
network
low complexity
liferay CWE-79
5.4
2022-09-22 CVE-2022-28979 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget.
network
low complexity
liferay CWE-79
6.1
2022-09-22 CVE-2022-28982 Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
network
low complexity
liferay CWE-79
6.1