CVE-2021-29051
https://notcve.org/view.php?id=CVE-2021-29051
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en la aplicación Asset Publisher del módulo Asset en Liferay Portal versiones 7.2.1 hasta 7.3.5, y Liferay DXP versiones 7.1 anteriores a fixpack 21, versiones 7.2 anteriores a fixpack 10 y versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del parámetro _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29044
https://notcve.org/view.php?id=CVE-2021-29044
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en las páginas de administración de peticiones de membresía del módulo Site en Liferay Portal versiones 7.0.0 hasta 7.3.5, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anteriores al fixpack 10 y versiones 7.3 anteriores al fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del parámetro _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29043
https://notcve.org/view.php?id=CVE-2021-29043
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. El módulo Portal Store en Liferay Portal versiones 7.0.0 hasta 7.3.5 y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anteriores al fixpack 10 y versiones 7.3 anteriores a fixpack 1, no oculta la contraseña de proxy de la tienda S3, el cual permite a atacantes robar la contraseña del proxy por medio de ataques de tipo man-in-the-middle o navegación lateral • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515 • CWE-522: Insufficiently Protected Credentials •
CVE-2021-29045
https://notcve.org/view.php?id=CVE-2021-29045
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en la página de administración de redireccionamiento del módulo Redirect en Liferay Portal versiones 7.3.2 hasta 7.3.5, y Liferay DXP versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del parámetro _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29047
https://notcve.org/view.php?id=CVE-2021-29047
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer. La implementación de SimpleCaptcha en Liferay Portal versiones 7.3.4, 7.3.5 y Liferay DXP versiones 7.3 anteriores al fixpack 1, no invalida las respuestas CAPTCHA después de su uso, lo que permite a atacantes remotos llevar a cabo repetidamente acciones protegidas por un desafío CAPTCHA reutilizando la misma respuesta CAPTCHA • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467 • CWE-287: Improper Authentication •