Page 23 of 128 results (0.009 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files ** EN DISPUTA ** Liferay en versiones 6.2.x y anteriores tiene una configuración FCKeditor que permite que un atacante suba o transfiera archivos de tipo peligroso que pueden procesarse automáticamente en el entorno del producto mediante un URI browser/liferay/browser.html?Type= o html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html. NOTA: el fabricante discute este problema debido a que la subida de archivos es una funcionalidad esperada, sujeta a las comprobaciones de control de acceso basado en roles, donde solo los usuarios autenticados con permisos adecuados pueden subir archivos. • https://cxsecurity.com/issue/WLB-2018050029 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en la página /html/portal/flash.jsp en Liferay Portal CE 7.0 GA4 y anteriores permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un URI javascript: en el parámetro "movie". • https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4 https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag. En Liferay Portal 6.1.0, la selección de etiquetas contiene CSS mediante un valor Public Render Parameter (p_r_p), tal y como lo demuestra p_r_p_564233524_tag. • https://cxsecurity.com/issue/WLB-2017120169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un portletId no válido. • https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities https://issues.liferay.com/browse/LPS-72307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un resumen o título manipulado que no se administra correctamente en el Web Content Display. • https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities https://github.com/brianchandotcom/liferay-portal/pull/47579 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •