CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42125
https://notcve.org/view.php?id=CVE-2022-42125
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. Vulnerabilidad de deslizamiento de zip en FileUtil.unzip en Liferay Portal 7.4.3.5 hasta 7.4.3.35 y Liferay DXP 7.4 actualización 1 hasta la actualización 34 permite a los atacantes crear o sobrescribir archivos existentes en el sistema de archivos mediante la implementación de un complemento/módulo malicioso. • http://liferay.com https://issues.liferay.com/browse/LPE-17517 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42127
https://notcve.org/view.php?id=CVE-2022-42127
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page. El módulo URL Amigables en Liferay Portal v7.4.3.5 a 7.4.3.36 y Liferay DXP 7.4 actualizaciones 1 a 36 no verifica adecuadamente los permisos de usuario, lo que permite a atacantes remotos obtener el historial de todas las URL amigables que se asignaron a una página. • http://liferay.com https://issues.liferay.com/browse/LPE-17607 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127 • CWE-276: Incorrect Default Permissions •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de las entradas del formulario, lo que permite usuarios remotos autenticados para ver y acceder a todas las entradas del formulario. • http://liferay.com https://issues.liferay.com/browse/LPE-17447 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130 • CWE-276: Incorrect Default Permissions •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3787 – device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
https://notcve.org/view.php?id=CVE-2022-3787
This could lead to local privilege escalation to root. • https://bugzilla.redhat.com/show_bug.cgi?id=2138959 https://access.redhat.com/security/cve/CVE-2022-3787 • CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 0CVE-2022-42110
https://notcve.org/view.php?id=CVE-2022-42110
A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripring (XSS) en el módulo Announcements en Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web arbitrario o HTML. • https://issues.liferay.com/browse/LPE-17403 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •