Page 10 of 79 results (0.017 seconds)

CVSS: 5.9EPSS: 0%CPEs: 98EXPL: 0

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. El módulo Portal Store en Liferay Portal versiones 7.0.0 hasta 7.3.5 y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anteriores al fixpack 10 y versiones 7.3 anteriores a fixpack 1, no oculta la contraseña de proxy de la tienda S3, el cual permite a atacantes robar la contraseña del proxy por medio de ataques de tipo man-in-the-middle o navegación lateral • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515 • CWE-522: Insufficiently Protected Credentials •

CVSS: 5.3EPSS: 0%CPEs: 98EXPL: 0

The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs. Los servicios web JSON en Liferay Portal versiones 7.3.4 y anteriores, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 20 y versiones 7.2 anteriores al fixpack 10, pueden proporcionar mensajes de error demasiado detallados, lo que permite a atacantes remotos usar el contenido del error de mensajes para ayudar a lanzar otros ataques más enfocados por medio de entradas diseñadas • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429 • CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload. Liferay CMS Portal versiones 7.1.3 y 7.2.1, presenta una vulnerabilidad de tipo cross-site scripting (XSS) persistente ciego en el parámetro user name en Calendario. Un atacante puede insertar una carga útil maliciosa en los campos username, lastname o surname de su propio perfil, y la carga útil maliciosa será inyectada y reflejada en el calendario del usuario que envió la carga útil. • https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs. En Liferay Portal versiones anteriores a 7.3.1, Liferay Portal versión 6.2 EE y Liferay DXP versión 7.2, DXP ??versión 7.1 y DXP versión 7.0, la propiedad "portlet.resource.id.banned.paths.regexp" puede ser omitida con unas URL codificadas duplicadas. • https://issues.liferay.com/browse/LPE-17046 https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204 •

CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. Liferay Portal versiones anteriores a 7.3.3, y Liferay DXP versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 6, no reucir ataques de denegación de servicio mediante la carga de archivos grandes • https://issues.liferay.com/browse/LPE-17029 https://issues.liferay.com/browse/LPE-17055 https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928 • CWE-434: Unrestricted Upload of File with Dangerous Type •