Page 2 of 56 results (0.003 seconds)

CVSS: 5.4EPSS: 0%CPEs: 21EXPL: 0

A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. Una vulnerabilidad de Cross-Site Scripting (XSS) en la notificación de usuario del módulo Compartir en Liferay Portal 7.2.1 a 7.4.2, y Liferay DXP 7.2 antes del fix pack 19, y 7.3 antes de la actualización 4 permite a atacantes remotos inyectar scripts web o HTML arbitrarios compartiendo un activo con un payload manipulado. • https://issues.liferay.com/browse/LPE-17379 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0

Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8. Ciertos productos de Liferay son vulnerables a Cross Site Scripting (XSS) a través del módulo Commerce. Esto afecta a Liferay Portal 7.3.5 hasta 7.4.2 y Liferay DXP 7.3 antes de la actualización 8. • http://liferay.com https://issues.liferay.com/browse/LPE-17632 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. Una vulnerabilidad de inyección SQL en el módulo URL Amigable en Liferay Portal 7.3.7 y Liferay DXP 7.3 fixpack 2 hasta la actualización 4 permite a los atacantes ejecutar comandos SQL arbitrarios a través de un payload manipulado inyectado en el campo "título" de una URL amigable. • http://liferay.com https://issues.liferay.com/browse/LPE-17520 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute. Una vulnerabilidad de inyección SQL en el módulo Fragment en Liferay Portal 7.3.3 a 7.4.3.16, y Liferay DXP 7.3 antes de la actualización 4, y 7.4 antes de la actualización 17 permite a los atacantes ejecutar comandos SQL arbitrarios a través del atributo `namespace` de PortletPreferences. • http://liferay.com https://issues.liferay.com/browse/LPE-17513 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 48EXPL: 0

A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. Una vulnerabilidad de inyección SQL en el módulo Layout en Liferay Portal 7.1.3 hasta 7.4.3.4, y Liferay DXP 7.1 anterior al fix pack 27, 7.2 anterior al fix pack 17, 7.3 anterior al service pack 3 y 7.4 GA permite a atacantes remotos autenticados ejecutar arbitrariamente Comandos SQL a través de un payload manipulado inyectado en el campo 'Nombre' de una plantilla de página. • http://liferay.com https://issues.liferay.com/browse/LPE-17414 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •