CVSS: 5.5EPSS: 0%CPEs: 116EXPL: 0CVE-2022-28978
https://notcve.org/view.php?id=CVE-2022-28978
21 Sep 2022 — Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name. Una vulnerabilidad de tipo cross-site scripting (XSS) Almacenado en la página de administración de la membresía del usuario del módulo Site en Liferay Portal versi... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 46EXPL: 0CVE-2022-28979
https://notcve.org/view.php?id=CVE-2022-28979
21 Sep 2022 — Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. Se ha detectado que Liferay Portal versioens v7.1.0 hasta v7.4.2 y Liferay DXP versiones 7.1 antes del fix pac... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 114EXPL: 0CVE-2022-26596
https://notcve.org/view.php?id=CVE-2022-26596
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la página de configuración de visualización de contenido web del módulo Journal en Liferay Portal versiones 7.1.0 hasta 7.3.3, y L... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26597
https://notcve.org/view.php?id=CVE-2022-26597
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo cross-site scripting (XSS) en la integración de Open Graph del módulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio de... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 41EXPL: 0CVE-2021-38269
https://notcve.org/view.php?id=CVE-2021-38269
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Gogo Shell en Liferay Portal 7.1.0 hasta 7.3.6 y 7.4.0, y Liferay DXP 7.1 antes del paquete de correcciones 23, 7.2 antes... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 132EXPL: 0CVE-2021-38263
https://notcve.org/view.php?id=CVE-2021-38263
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script. La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la consola de secuencias de comandos del módulo Server en Liferay Portal 7.3.2 y anteriores, y Liferay DXP 7.0 antes del paquete de correccion... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 113EXPL: 0CVE-2021-38266
https://notcve.org/view.php?id=CVE-2021-38266
02 Mar 2022 — The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP. El módulo Portal Security en Liferay Portal 7.2.1 y anteriores, y Liferay DXP 7.0 antes del fix pack 90, 7.1 antes del fix pack 17 y 7.2 antes del fix pack 5 no importa correctamente... • http://liferay.com •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-38268
https://notcve.org/view.php?id=CVE-2021-38268
02 Mar 2022 — The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API. El módulo Dynamic Data Mapping en Liferay Portal 7.0.0 hasta 7.3.6, y Liferay DXP 7.0 antes del fix pack 101, 7.1 antes del fix pack 21, 7.2 antes del fix ... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-28885
https://notcve.org/view.php?id=CVE-2020-28885
28 Jan 2022 — Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla ** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, está afectado por la inyección de comandos ... • https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 4%CPEs: 2EXPL: 0CVE-2020-28884
https://notcve.org/view.php?id=CVE-2020-28884
28 Jan 2022 — Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw. ** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, está afectado por la Inyección de Comandos del Sistema Operativo. Un usuario administrado... • https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •