CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25607
https://notcve.org/view.php?id=CVE-2024-25607
20 Feb 2024 — The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. El algoritmo de hash de contraseña predeterminado (PBKDF2-HMAC-SHA1) en Liferay Portal 7.2.0 a 7.4.3.15 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actua... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25606
https://notcve.org/view.php?id=CVE-2024-25606
20 Feb 2024 — XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method. La vulnerabilidad XXE en Liferay Portal 7.2.0 a 7.4.3.7 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualización... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25605
https://notcve.org/view.php?id=CVE-2024-25605
20 Feb 2024 — The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API. El módulo Journal en Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anteriores al service pack 3, 7.2 anteriores al fix pac... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605 • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25604
https://notcve.org/view.php?id=CVE-2024-25604
20 Feb 2024 — Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel. Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anterior al service pack 3, 7.2 anteri... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25150
https://notcve.org/view.php?id=CVE-2024-25150
20 Feb 2024 — Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names. Vulnerabilidad de divulgación de información en el Panel de control en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior a la a... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25149
https://notcve.org/view.php?id=CVE-2024-25149
20 Feb 2024 — Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site. Liferay Portal 7.... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47798
https://notcve.org/view.php?id=CVE-2023-47798
08 Feb 2024 — Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked. El bloqueo de cuentas en Liferay Portal 7.2.0 a 7.3.0 y versiones anteriores no compatibles, y Liferay DXP 7.2 anterior al fixpack 5 y versiones anteriores no compatibles no invalida las sesiones de usuario existe... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 • CWE-384: Session Fixation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25143
https://notcve.org/view.php?id=CVE-2024-25143
07 Feb 2024 — The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images. Document and Media widget In Liferay Portal 7.2.0 a 7.3.6 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al ... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8267
https://notcve.org/view.php?id=CVE-2014-8267
01 Feb 2015 — Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter. Vulnerabilidad de XSS en QPR Portal 2014.1.1 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro RID. • http://www.kb.cert.org/vuls/id/546340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8268
https://notcve.org/view.php?id=CVE-2014-8268
01 Feb 2015 — QPR Portal before 2012.2.1 allows remote attackers to modify or delete notes via a direct request. QPR Portal anterior a 2012.2.1 permite a atacantes remotos modificar o eliminar notas a través de una solicitud directa. • http://www.kb.cert.org/vuls/id/546340 • CWE-264: Permissions, Privileges, and Access Controls •