CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
15 Nov 2022 — The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de l... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 4.8EPSS: 0%CPEs: 48EXPL: 0CVE-2022-42131
https://notcve.org/view.php?id=CVE-2022-42131
15 Nov 2022 — Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. Ciertos productos de Liferay se ven afectados por: Falta de Validación de Certificado SSL en los proveedores de datos REST del módulo Dynamic Data Mapping. Esto afecta a Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pac... • http://liferay.com • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 151EXPL: 0CVE-2022-42132
https://notcve.org/view.php?id=CVE-2022-42132
15 Nov 2022 — The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. La funcionalidad Probar usuarios de LDAP en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.0 fixpack 102... • http://liferay.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 46EXPL: 0CVE-2022-42110
https://notcve.org/view.php?id=CVE-2022-42110
14 Nov 2022 — A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripring (XSS) en el módulo Announcements en Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar s... • https://issues.liferay.com/browse/LPE-17403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 52EXPL: 0CVE-2022-42112
https://notcve.org/view.php?id=CVE-2022-42112
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el widget Sort del módulo Portal Search en Liferay Portal versiones 7.2.0 hasta 7.4.3.24, y Liferay DXP 7.2 versiones anteriores a fix pack 19, 7.3 ante... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41414
https://notcve.org/view.php?id=CVE-2022-41414
07 Oct 2022 — An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. Un fallo no seguro en el componente auth.login.prompt.enabled de Liferay Portal versiones v7.0.0 hasta v7.4.2, permite a atacantes enumerar nombres de usuarios, nombres de sitios y páginas • https://portal.liferay.dev/learn/security/known-vulnerabilities • CWE-276: Incorrect Default Permissions •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-28980
https://notcve.org/view.php?id=CVE-2022-28980
22 Sep 2022 — Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versión v7.4.3.4 y Liferay DXP versión v7.4 GA, permiten a atacantes ejecutar scripts web o HTML arbitrarios por medio de parámetros con el prefijo filter_ • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 116EXPL: 0CVE-2022-28978
https://notcve.org/view.php?id=CVE-2022-28978
21 Sep 2022 — Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name. Una vulnerabilidad de tipo cross-site scripting (XSS) Almacenado en la página de administración de la membresía del usuario del módulo Site en Liferay Portal versi... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 46EXPL: 0CVE-2022-28979
https://notcve.org/view.php?id=CVE-2022-28979
21 Sep 2022 — Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. Se ha detectado que Liferay Portal versioens v7.1.0 hasta v7.4.2 y Liferay DXP versiones 7.1 antes del fix pac... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 114EXPL: 0CVE-2022-26596
https://notcve.org/view.php?id=CVE-2022-26596
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la página de configuración de visualización de contenido web del módulo Journal en Liferay Portal versiones 7.1.0 hasta 7.3.3, y L... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •