CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33949
https://notcve.org/view.php?id=CVE-2023-33949
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.4EPSS: 0%CPEs: 50EXPL: 0CVE-2023-33939
https://notcve.org/view.php?id=CVE-2023-33939
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 31EXPL: 0CVE-2023-33937
https://notcve.org/view.php?id=CVE-2023-33937
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-42124
https://notcve.org/view.php?id=CVE-2022-42124
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. Vulnerabilidad ReDoS en LayoutPageTemplateEntryUpgradeProcess en Liferay Portal 7.3.2 hasta 7.4.3.4 y Liferay DXP 7.2 fix pack 9 hasta fix pack 18, 7.3 antes de la actualización 4 y DXP 7.4 GA permite a atacantes remotos consumir una cantidad excesiva de recursos del servidor a través de un payload manipulado inyectado en el campo 'nombre' de un prototipo de diseño. • http://liferay.com https://issues.liferay.com/browse/LPE-17435 https://issues.liferay.com/browse/LPE-17535 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de las entradas del formulario, lo que permite usuarios remotos autenticados para ver y acceder a todas las entradas del formulario. • http://liferay.com https://issues.liferay.com/browse/LPE-17447 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130 • CWE-276: Incorrect Default Permissions •