CVSS: 5.5EPSS: 0%CPEs: 36EXPL: 1CVE-2022-38901
https://notcve.org/view.php?id=CVE-2022-38901
19 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el módulo Document and Media - funcionalidad de descarga de archivos en Liferay Digital Experience Platform versión 7.3.10 SP3, permite a atacantes remotos inyectar scripts JS o HTML arbitra... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 52EXPL: 0CVE-2022-42112
https://notcve.org/view.php?id=CVE-2022-42112
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el widget Sort del módulo Portal Search en Liferay Portal versiones 7.2.0 hasta 7.4.3.24, y Liferay DXP 7.2 versiones anteriores a fix pack 19, 7.3 ante... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 39EXPL: 0CVE-2022-42114
https://notcve.org/view.php?id=CVE-2022-42114
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la página de edición de asignados de roles del módulo Role en Liferay Portal versiones 7.4.0 hasta 7.4.3.36, y Liferay DXP versiones 7.4 anteriores a update 37, permite a atacantes remotos inyectar script web o HTML arbitra... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42115
https://notcve.org/view.php?id=CVE-2022-42115
18 Oct 2022 — Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field. Una vulnerabilidad de tipo cross-site scripting (XSS) en la página de edición de detalles de objetos del módulo Object en Liferay Portal 7.4.3.4 hasta 7.4.3.36, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de un... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 26EXPL: 0CVE-2022-42116
https://notcve.org/view.php?id=CVE-2022-42116
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. Una vulnerabilidad de Cross-site scripting (XSS) en la integración del módulo Frontend Editor con CKEditor en Liferay Portal versiones 7.3.2 hasta 7.4.3.14, y Liferay DXP versiones 7.3 anteriores a ... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 29EXPL: 0CVE-2022-42117
https://notcve.org/view.php?id=CVE-2022-42117
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el módulo Frontend Taglib en Liferay Portal versiones 7.3.2 hasta 7.4.3.16, y Liferay DXP versiones 7.3 anteriores a update 6, y versiones 7.4 anteriores a 17, permite a atacantes remotos inyectar script web o HTML... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41414
https://notcve.org/view.php?id=CVE-2022-41414
07 Oct 2022 — An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. Un fallo no seguro en el componente auth.login.prompt.enabled de Liferay Portal versiones v7.0.0 hasta v7.4.2, permite a atacantes enumerar nombres de usuarios, nombres de sitios y páginas • https://portal.liferay.dev/learn/security/known-vulnerabilities • CWE-276: Incorrect Default Permissions •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-28980
https://notcve.org/view.php?id=CVE-2022-28980
22 Sep 2022 — Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versión v7.4.3.4 y Liferay DXP versión v7.4 GA, permiten a atacantes ejecutar scripts web o HTML arbitrarios por medio de parámetros con el prefijo filter_ • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28981
https://notcve.org/view.php?id=CVE-2022-28981
22 Sep 2022 — Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter. Una vulnerabilidad de salto de ruta en el módulo Hypermedia REST APIs de Liferay Portal versiones 7.4.0 hasta 7.4.2, permite a atacantes remotos acceder a archivos fuera de com.liferay.headless.discovery.web/META-INF/resources por medio del parámetro "parameter" • http://liferay.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 37EXPL: 0CVE-2022-28977
https://notcve.org/view.php?id=CVE-2022-28977
22 Sep 2022 — HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. El archivo HtmlUtil.escapeRedirect en Liferay Portal versiones ... • http://liferay.com • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •