CVSS: 9.0EPSS: 0%CPEs: 104EXPL: 1CVE-2023-42628
https://notcve.org/view.php?id=CVE-2023-42628
17 Oct 2023 — Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field. Vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el widget Wiki en Liferay Por... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 36EXPL: 0CVE-2023-44310
https://notcve.org/view.php?id=CVE-2023-44310
17 Oct 2023 — Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field. Vulnerabilidad de Cross-Site Scripting (XSS) almacenada en Page Tree menu Liferay Portal 7.3.6 hasta 7.4.3.78, y Liferay DXP 7.3 fixpack 1 hasta la actualización 23, y 7.4 antes de la actualización 79 permit... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33949
https://notcve.org/view.php?id=CVE-2023-33949
24 May 2023 — In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.5EPSS: 0%CPEs: 50EXPL: 0CVE-2023-33939
https://notcve.org/view.php?id=CVE-2023-33939
24 May 2023 — Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 31EXPL: 0CVE-2023-33937
https://notcve.org/view.php?id=CVE-2023-33937
24 May 2023 — Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48365
https://notcve.org/view.php?id=CVE-2022-48365
12 Mar 2023 — An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips • CWE-269: Improper Privilege Management •
CVSS: 3.7EPSS: 0%CPEs: 15EXPL: 0CVE-2022-48366
https://notcve.org/view.php?id=CVE-2022-48366
12 Mar 2023 — An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2022-48367
https://notcve.org/view.php?id=CVE-2022-48367
12 Mar 2023 — An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-42124
https://notcve.org/view.php?id=CVE-2022-42124
15 Nov 2022 — ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. Vulnerabilidad ReDoS en LayoutPageTemplateEntryUpgradeProcess en Liferay Portal 7.3.2 hasta 7.4.3.4 y Liferay DXP 7.2 fix pack 9 hasta fix pack 18, 7.3 antes de la actualiz... • http://liferay.com • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
15 Nov 2022 — The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de l... • http://liferay.com • CWE-276: Incorrect Default Permissions •