Vulnerabilities > Liferay > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-24 | CVE-2020-15840 | Unspecified vulnerability in Liferay DXP and Liferay Portal In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs. | 5.3 |
| 2020-09-22 | CVE-2020-15839 | Unrestricted Upload of File with Dangerous Type vulnerability in Liferay Portal Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. | 6.5 |
| 2020-06-10 | CVE-2020-13444 | Unspecified vulnerability in Liferay Portal Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | 6.5 |
| 2020-01-28 | CVE-2020-7934 | Cross-site Scripting vulnerability in Liferay Portal In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. | 5.4 |
| 2019-09-09 | CVE-2019-16147 | Cross-site Scripting vulnerability in Liferay Portal Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib. | 6.1 |
| 2019-06-03 | CVE-2019-6588 | Cross-site Scripting vulnerability in Liferay Portal In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. | 4.7 |
| 2018-01-02 | CVE-2017-1000425 | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter. | 6.1 |
| 2017-12-27 | CVE-2017-17868 | Cross-site Scripting vulnerability in Liferay Portal 6.1.0 In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag. | 6.1 |
| 2017-08-07 | CVE-2017-12649 | Cross-site Scripting vulnerability in Liferay Portal 6.1.2/6.2.2/7.0 XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display. | 6.1 |
| 2017-08-07 | CVE-2017-12648 | Cross-site Scripting vulnerability in Liferay Portal 6.1.2/6.2.2/7.0 XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL. | 6.1 |