CVSS: 9.0EPSS: 0%CPEs: 19EXPL: 1CVE-2023-42629
https://notcve.org/view.php?id=CVE-2023-42629
17 Oct 2023 — Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de gestión de vocabulario en Liferay Portal v7.4.2 hasta v7.4.3.87, y Liferay DXP v7.4 anterior a la actualización 88 permite a atacantes remotos inyectar sc... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 18EXPL: 0CVE-2023-42497
https://notcve.org/view.php?id=CVE-2023-42497
17 Oct 2023 — Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter. Vulnerabilidad de Cross-Site Scripting (XSS) reflejada en la página "Export for Translation" en Liferay Portal 7.4.3.4 hasta 7.4.3.85, y Liferay DXP 7.4 anterior a la actualización 86 per... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-3426
https://notcve.org/view.php?id=CVE-2023-3426
02 Aug 2023 — The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. El selector de organizaciones en Liferay Portal v7.4.3.81 a v7.4.3.85 y Liferay DXP v7.4 actualización 81 a 85 no comprueba el permiso del usuario, lo que permite a usuarios remotos autenticados obtener una lista de todas las organizaciones. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426 • CWE-425: Direct Request ('Forced Browsing') CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35030
https://notcve.org/view.php?id=CVE-2023-35030
15 Jun 2023 — Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35029
https://notcve.org/view.php?id=CVE-2023-35029
15 Jun 2023 — Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2023-3193
https://notcve.org/view.php?id=CVE-2023-3193
15 Jun 2023 — Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-33950
https://notcve.org/view.php?id=CVE-2023-33950
24 May 2023 — Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33949
https://notcve.org/view.php?id=CVE-2023-33949
24 May 2023 — In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33948
https://notcve.org/view.php?id=CVE-2023-33948
24 May 2023 — The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-33947
https://notcve.org/view.php?id=CVE-2023-33947
24 May 2023 — The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947 • CWE-284: Improper Access Control •