CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38265
https://notcve.org/view.php?id=CVE-2021-38265
Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Asset de Liferay Portal 7.3.4 a 7.3.6 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios al crear una página de colección a través del parámetro _com_liferay_asset_list_web_portlet_AssetListPortlet_title • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 113EXPL: 0CVE-2021-38266
https://notcve.org/view.php?id=CVE-2021-38266
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP. El módulo Portal Security en Liferay Portal 7.2.1 y anteriores, y Liferay DXP 7.0 antes del fix pack 90, 7.1 antes del fix pack 17 y 7.2 antes del fix pack 5 no importa correctamente los usuarios de LDAP, lo que permite a los atacantes remotos impedir que un usuario legítimo se autentique al intentar iniciar sesión como un usuario que existe en LDAP • http://liferay.com https://issues.liferay.com/browse/LPE-17191 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266 •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-38268
https://notcve.org/view.php?id=CVE-2021-38268
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API. El módulo Dynamic Data Mapping en Liferay Portal 7.0.0 hasta 7.3.6, y Liferay DXP 7.0 antes del fix pack 101, 7.1 antes del fix pack 21, 7.2 antes del fix pack 10 y 7.3 antes del fix pack 2 establece incorrectamente los permisos por defecto para los miembros del sitio, lo que permite a los usuarios remotos autentificados con el rol de miembro del sitio añadir y duplicar formularios, a través de la UI o la API • http://liferay.com https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3 • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2020-15839
https://notcve.org/view.php?id=CVE-2020-15839
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. Liferay Portal versiones anteriores a 7.3.3, y Liferay DXP versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 6, no reucir ataques de denegación de servicio mediante la carga de archivos grandes • https://issues.liferay.com/browse/LPE-17029 https://issues.liferay.com/browse/LPE-17055 https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928 • CWE-434: Unrestricted Upload of File with Dangerous Type •