CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42128
https://notcve.org/view.php?id=CVE-2022-42128
15 Nov 2022 — The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API. El módulo Hypermedia REST APIs en Liferay Portal v7.4.1 a 7.4.3.4 y Liferay DXP 7.4 GA no comprueba correctamente los permisos, lo que permite a atacantes remotos obtener un objeto WikiNode a través de la API WikiNodeResource.getSiteWikiNodeByExternalR... • https://issues.liferay.com/browse/LPE-17595 • CWE-276: Incorrect Default Permissions •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42129
https://notcve.org/view.php?id=CVE-2022-42129
15 Nov 2022 — An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter. Una vulnerabilidad de Insecure Direct Object Reference (IDOR) en el módulo Dynamic Data Mapping en Liferay Portal 7.3.2 hasta 7.4.3.4, y Liferay DXP 7.3 antes de la actualización 4, y 7.4 GA permite a usuarios remotos auten... • https://issues.liferay.com/browse/LPE-17448 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
15 Nov 2022 — The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de l... • https://issues.liferay.com/browse/LPE-17447 • CWE-276: Incorrect Default Permissions •
CVSS: 4.8EPSS: 0%CPEs: 48EXPL: 0CVE-2022-42131
https://notcve.org/view.php?id=CVE-2022-42131
15 Nov 2022 — Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. Ciertos productos de Liferay se ven afectados por: Falta de Validación de Certificado SSL en los proveedores de datos REST del módulo Dynamic Data Mapping. Esto afecta a Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pac... • https://issues.liferay.com/browse/LPE-17377 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-42111
https://notcve.org/view.php?id=CVE-2022-42111
15 Nov 2022 — A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. Una vulnerabilidad de Cross-Site Scripting (XSS) en la notificación de usuario del módulo Compartir en Liferay Portal 7.2.1 a 7.4.2, y Liferay DXP 7.2 antes del fix pack 19, y 7.3 antes de la actualización 4 permite a... • https://issues.liferay.com/browse/LPE-17379 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 45EXPL: 0CVE-2022-42118
https://notcve.org/view.php?id=CVE-2022-42118
15 Nov 2022 — A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el módulo Portal Search en Liferay Portal 7.1.0 hasta 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 15 y 7.3 antes del service pack 3 permite a ... • https://issues.liferay.com/browse/LPE-17342 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-42119
https://notcve.org/view.php?id=CVE-2022-42119
15 Nov 2022 — Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8. Ciertos productos de Liferay son vulnerables a Cross Site Scripting (XSS) a través del módulo Commerce. Esto afecta a Liferay Portal 7.3.5 hasta 7.4.2 y Liferay DXP 7.3 antes de la actualización 8. • https://issues.liferay.com/browse/LPE-17632 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42123
https://notcve.org/view.php?id=CVE-2022-42123
15 Nov 2022 — A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin. Una vulnerabilidad Zip slip en Elasticsearch Connector en Liferay Portal 7.3.3 a 7.4.3.18, y Liferay DXP 7.3 antes de la actualización 6 y 7.4 antes de la actualización 19 permite a los atacantes crear o sobrescri... • https://issues.liferay.com/browse/LPE-17518 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-42124
https://notcve.org/view.php?id=CVE-2022-42124
15 Nov 2022 — ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. Vulnerabilidad ReDoS en LayoutPageTemplateEntryUpgradeProcess en Liferay Portal 7.3.2 hasta 7.4.3.4 y Liferay DXP 7.2 fix pack 9 hasta fix pack 18, 7.3 antes de la actualiz... • https://issues.liferay.com/browse/LPE-17435 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42125
https://notcve.org/view.php?id=CVE-2022-42125
15 Nov 2022 — Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. Vulnerabilidad de deslizamiento de zip en FileUtil.unzip en Liferay Portal 7.4.3.5 hasta 7.4.3.35 y Liferay DXP 7.4 actualización 1 hasta la actualización 34 permite a los atacantes crear o sobrescribir archivos existentes en el sistema de archivos mediante l... • https://issues.liferay.com/browse/LPE-17517 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •