CVSS: 5.3EPSS: 0%CPEs: 98EXPL: 0CVE-2021-29040
https://notcve.org/view.php?id=CVE-2021-29040
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs. Los servicios web JSON en Liferay Portal versiones 7.3.4 y anteriores, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 20 y versiones 7.2 anteriores al fixpack 10, pueden proporcionar mensajes de error demasiado detallados, lo que permite a atacantes remotos usar el contenido del error de mensajes para ayudar a lanzar otros ataques más enfocados por medio de entradas diseñadas • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29039
https://notcve.org/view.php?id=CVE-2021-29039
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la página de administración de categorías del módulo Asset en Liferay Portal versión 7.3.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios por medio del nombre del sitio • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2020-15839
https://notcve.org/view.php?id=CVE-2020-15839
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. Liferay Portal versiones anteriores a 7.3.3, y Liferay DXP versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 6, no reucir ataques de denegación de servicio mediante la carga de archivos grandes • https://issues.liferay.com/browse/LPE-17029 https://issues.liferay.com/browse/LPE-17055 https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24554
https://notcve.org/view.php?id=CVE-2020-24554
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. El módulo de redireccionamiento en Liferay Portal versiones anteriores a 7.3.3 no limita el numero de URLs resultando en un error 404 que es registrado, permitiendo a atacantes remotos llevar a cabo un ataque de denegación de servicio al realizar peticiones repetidas de páginas que no existen • https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •