Page 4 of 86 results (0.015 seconds)

CVSS: 4.8EPSS: 0%CPEs: 48EXPL: 0

Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. Ciertos productos de Liferay se ven afectados por: Falta de Validación de Certificado SSL en los proveedores de datos REST del módulo Dynamic Data Mapping. Esto afecta a Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3. • http://liferay.com https://issues.liferay.com/browse/LPE-17377 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42131 • CWE-295: Improper Certificate Validation •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter. Una vulnerabilidad de Insecure Direct Object Reference (IDOR) en el módulo Dynamic Data Mapping en Liferay Portal 7.3.2 hasta 7.4.3.4, y Liferay DXP 7.3 antes de la actualización 4, y 7.4 GA permite a usuarios remotos autenticados ver y acceder a entradas de formulario a través del parámetro `formInstanceRecordId`. • http://liferay.com https://issues.liferay.com/browse/LPE-17448 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 8.8EPSS: 0%CPEs: 48EXPL: 0

A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. Una vulnerabilidad de inyección SQL en el módulo Layout en Liferay Portal 7.1.3 hasta 7.4.3.4, y Liferay DXP 7.1 anterior al fix pack 27, 7.2 anterior al fix pack 17, 7.3 anterior al service pack 3 y 7.4 GA permite a atacantes remotos autenticados ejecutar arbitrariamente Comandos SQL a través de un payload manipulado inyectado en el campo 'Nombre' de una plantilla de página. • http://liferay.com https://issues.liferay.com/browse/LPE-17414 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.9EPSS: 0%CPEs: 151EXPL: 0

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. La funcionalidad Probar usuarios de LDAP en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.0 fixpack 102 y anteriores, 7.1 antes del fixpack 27, 7.2 antes del fixpack 17, 7.3 antes de la actualización 4 y DXP 7.4 GA incluye LDAP credencial en la URL de la página al paginar a través de la lista de usuarios, lo que permite a los atacantes intermediarios o a los atacantes con acceso a los registros de solicitudes ver la credencial LDAP. • http://liferay.com https://issues.liferay.com/browse/LPE-17438 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 0

A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripring (XSS) en el módulo Announcements en Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web arbitrario o HTML. • https://issues.liferay.com/browse/LPE-17403 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •