CVSS: 9.0EPSS: 0%CPEs: 19EXPL: 1CVE-2023-42629
https://notcve.org/view.php?id=CVE-2023-42629
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de gestión de vocabulario en Liferay Portal v7.4.2 hasta v7.4.3.87, y Liferay DXP v7.4 anterior a la actualización 88 permite a atacantes remotos inyectar script web o HTML arbitrario a través de un payload manipulado inyectado en un vocabulario campo de texto 'description'. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 18EXPL: 0CVE-2023-42497
https://notcve.org/view.php?id=CVE-2023-42497
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter. Vulnerabilidad de Cross-Site Scripting (XSS) reflejada en la página "Export for Translation" en Liferay Portal 7.4.3.4 hasta 7.4.3.85, y Liferay DXP 7.4 anterior a la actualización 86 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect`. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35030
https://notcve.org/view.php?id=CVE-2023-35030
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35029
https://notcve.org/view.php?id=CVE-2023-35029
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-3193
https://notcve.org/view.php?id=CVE-2023-3193
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •