CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2022-42118
https://notcve.org/view.php?id=CVE-2022-42118
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el módulo Portal Search en Liferay Portal 7.1.0 hasta 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 15 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro "etiqueta". • http://liferay.com https://issues.liferay.com/browse/LPE-17342 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 21EXPL: 0CVE-2022-42111
https://notcve.org/view.php?id=CVE-2022-42111
A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. Una vulnerabilidad de Cross-Site Scripting (XSS) en la notificación de usuario del módulo Compartir en Liferay Portal 7.2.1 a 7.4.2, y Liferay DXP 7.2 antes del fix pack 19, y 7.3 antes de la actualización 4 permite a atacantes remotos inyectar scripts web o HTML arbitrarios compartiendo un activo con un payload manipulado. • https://issues.liferay.com/browse/LPE-17379 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2022-42119
https://notcve.org/view.php?id=CVE-2022-42119
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8. Ciertos productos de Liferay son vulnerables a Cross Site Scripting (XSS) a través del módulo Commerce. Esto afecta a Liferay Portal 7.3.5 hasta 7.4.2 y Liferay DXP 7.3 antes de la actualización 8. • http://liferay.com https://issues.liferay.com/browse/LPE-17632 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42122
https://notcve.org/view.php?id=CVE-2022-42122
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. Una vulnerabilidad de inyección SQL en el módulo URL Amigable en Liferay Portal 7.3.7 y Liferay DXP 7.3 fixpack 2 hasta la actualización 4 permite a los atacantes ejecutar comandos SQL arbitrarios a través de un payload manipulado inyectado en el campo "título" de una URL amigable. • http://liferay.com https://issues.liferay.com/browse/LPE-17520 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42120
https://notcve.org/view.php?id=CVE-2022-42120
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute. Una vulnerabilidad de inyección SQL en el módulo Fragment en Liferay Portal 7.3.3 a 7.4.3.16, y Liferay DXP 7.3 antes de la actualización 4, y 7.4 antes de la actualización 17 permite a los atacantes ejecutar comandos SQL arbitrarios a través del atributo `namespace` de PortletPreferences. • http://liferay.com https://issues.liferay.com/browse/LPE-17513 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •