CVSS: 6.4EPSS: 0%CPEs: 46EXPL: 0CVE-2022-28979
https://notcve.org/view.php?id=CVE-2022-28979
21 Sep 2022 — Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. Se ha detectado que Liferay Portal versioens v7.1.0 hasta v7.4.2 y Liferay DXP versiones 7.1 antes del fix pac... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26597
https://notcve.org/view.php?id=CVE-2022-26597
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo cross-site scripting (XSS) en la integración de Open Graph del módulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio de... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26593
https://notcve.org/view.php?id=CVE-2022-26593
19 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el selector de categorías de activos del módulo Asset en Liferay Portal versiones 7.3.3 hasta 7.4.0, y Liferay DXP versiones 7.3 anteriores al Service Pack 3 permite a atacantes remotos in... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 41EXPL: 0CVE-2021-38269
https://notcve.org/view.php?id=CVE-2021-38269
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Gogo Shell en Liferay Portal 7.1.0 hasta 7.3.6 y 7.4.0, y Liferay DXP 7.1 antes del paquete de correcciones 23, 7.2 antes... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-38267
https://notcve.org/view.php?id=CVE-2021-38267
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter. La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la página de edición de entradas de blog del módulo Blogs en Liferay Portal 7.3.... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38265
https://notcve.org/view.php?id=CVE-2021-38265
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Asset de Liferay Portal 7.3.4 a 7.3.6 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios al crear una página de colección ... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-38268
https://notcve.org/view.php?id=CVE-2021-38268
02 Mar 2022 — The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API. El módulo Dynamic Data Mapping en Liferay Portal 7.0.0 hasta 7.3.6, y Liferay DXP 7.0 antes del fix pack 101, 7.1 antes del fix pack 21, 7.2 antes del fix ... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-28885
https://notcve.org/view.php?id=CVE-2020-28885
28 Jan 2022 — Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla ** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, está afectado por la inyección de comandos ... • https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 4%CPEs: 2EXPL: 0CVE-2020-28884
https://notcve.org/view.php?id=CVE-2020-28884
28 Jan 2022 — Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw. ** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, está afectado por la Inyección de Comandos del Sistema Operativo. Un usuario administrado... • https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 30EXPL: 0CVE-2021-33337
https://notcve.org/view.php?id=CVE-2021-33337
04 Aug 2021 — Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el menú de adición de documentos del módulo de la Biblioteca de Documentos en Liferay Portal versiones 7.3.0 hast... • https://issues.liferay.com/browse/LPE-17101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •