CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26267
https://notcve.org/view.php?id=CVE-2024-26267
20 Feb 2024 — In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header. En Liferay Portal 7.2.0 a 7.4.3.25 y versiones ant... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26265
https://notcve.org/view.php?id=CVE-2024-26265
20 Feb 2024 — The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter. El módulo Image Uploader en Liferay Portal 7.2.0 a 7.4.3.15 y versiones ant... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25610
https://notcve.org/view.php?id=CVE-2024-25610
20 Feb 2024 — In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field. En Liferay Portal 7.2.0 a 7.4.3.12 y versiones anteriores no compatibles, y Liferay DXP 7.4 ante... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25609
https://notcve.org/view.php?id=CVE-2024-25609
20 Feb 2024 — HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomple... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25608
https://notcve.org/view.php?id=CVE-2024-25608
20 Feb 2024 — HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedir... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25607
https://notcve.org/view.php?id=CVE-2024-25607
20 Feb 2024 — The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. El algoritmo de hash de contraseña predeterminado (PBKDF2-HMAC-SHA1) en Liferay Portal 7.2.0 a 7.4.3.15 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actua... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25606
https://notcve.org/view.php?id=CVE-2024-25606
20 Feb 2024 — XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method. La vulnerabilidad XXE en Liferay Portal 7.2.0 a 7.4.3.7 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualización... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25605
https://notcve.org/view.php?id=CVE-2024-25605
20 Feb 2024 — The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API. El módulo Journal en Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anteriores al service pack 3, 7.2 anteriores al fix pac... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605 • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25604
https://notcve.org/view.php?id=CVE-2024-25604
20 Feb 2024 — Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel. Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anterior al service pack 3, 7.2 anteri... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25150
https://notcve.org/view.php?id=CVE-2024-25150
20 Feb 2024 — Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names. Vulnerabilidad de divulgación de información en el Panel de control en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior a la a... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150 • CWE-201: Insertion of Sensitive Information Into Sent Data •