Page 2 of 47 results (0.003 seconds)

CVSS: 9.0EPSS: 0%CPEs: 19EXPL: 1

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de gestión de vocabulario en Liferay Portal v7.4.2 hasta v7.4.3.87, y Liferay DXP v7.4 anterior a la actualización 88 permite a atacantes remotos inyectar script web o HTML arbitrario a través de un payload manipulado inyectado en un vocabulario campo de texto 'description'. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.6EPSS: 0%CPEs: 18EXPL: 0

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter. Vulnerabilidad de Cross-Site Scripting (XSS) reflejada en la página "Export for Translation" en Liferay Portal 7.4.3.4 hasta 7.4.3.85, y Liferay DXP 7.4 anterior a la actualización 86 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect`. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. El selector de organizaciones en Liferay Portal v7.4.3.81 a v7.4.3.85 y Liferay DXP v7.4 actualización 81 a 85 no comprueba el permiso del usuario, lo que permite a usuarios remotos autenticados obtener una lista de todas las organizaciones. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426 • CWE-425: Direct Request ('Forced Browsing') CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950 • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 • CWE-1188: Initialization of a Resource with an Insecure Default •