CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 0CVE-2022-28979
https://notcve.org/view.php?id=CVE-2022-28979
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. Se ha detectado que Liferay Portal versioens v7.1.0 hasta v7.4.2 y Liferay DXP versiones 7.1 antes del fix pack 26, 7.2 antes del fix pack 15 y 7.3 antes del service pack 3 contienen una vulnerabilidad de cross-site scripting (XSS) en el widget Custom Facet del módulo Portal Search. Esta vulnerabilidad permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de una carga útil manipulada inyectada en el campo de texto Custom Parameter Name • http://liferay.com https://issues.liferay.com/browse/LPE-17381 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26597
https://notcve.org/view.php?id=CVE-2022-26597
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo cross-site scripting (XSS) en la integración de Open Graph del módulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio del nombre del sitio • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26595
https://notcve.org/view.php?id=CVE-2022-26595
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI. Liferay Portal versiones 7.3.7, 7.4.0, y 7.4.1, y Liferay DXP versiones 7.2 fix pack 13, y 7.3 fix pack 2 no comprueban apropiadamente los permisos de usuarios cuando acceden a una lista de sitios/grupos, lo que permite a usuarios remotos autenticados visualizar sitios/grupos por medio de la UI de asignación de miembros del sitio del usuario • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26593
https://notcve.org/view.php?id=CVE-2022-26593
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el selector de categorías de activos del módulo Asset en Liferay Portal versiones 7.3.3 hasta 7.4.0, y Liferay DXP versiones 7.3 anteriores al Service Pack 3 permite a atacantes remotos inyectar scripts web arbitrarios o HTML arbitrarios por medio del nombre de una categoría de activos • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26594
https://notcve.org/view.php?id=CVE-2022-26594
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versiones 7.3.5 hasta 7.4.0 y Liferay DXP versiones 7.3 anteriores a service pack 3, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del texto de ayuda de un campo de formulario en (1) el constructor de formularios del módulo Forms, o (2) el constructor de formularios de la vista de formularios de objetos del módulo App Builder • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •