CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26597
https://notcve.org/view.php?id=CVE-2022-26597
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo cross-site scripting (XSS) en la integración de Open Graph del módulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio de... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26595
https://notcve.org/view.php?id=CVE-2022-26595
19 Apr 2022 — Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI. Liferay Portal versiones 7.3.7, 7.4.0, y 7.4.1, y Liferay DXP versiones 7.2 fix pack 13, y 7.3 fix pack 2 no comprueban apropiadamente los permisos de usuarios cuando acceden a una lista de sitios/grupos, lo que permite a usuarios rem... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26593
https://notcve.org/view.php?id=CVE-2022-26593
19 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el selector de categorías de activos del módulo Asset en Liferay Portal versiones 7.3.3 hasta 7.4.0, y Liferay DXP versiones 7.3 anteriores al Service Pack 3 permite a atacantes remotos in... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26594
https://notcve.org/view.php?id=CVE-2022-26594
15 Apr 2022 — Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versiones 7.3.5 hasta 7.4.0 y Liferay DXP versiones 7.3 anteriores a service pack 3, permiten a atacantes remot... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25146
https://notcve.org/view.php?id=CVE-2022-25146
02 Mar 2022 — The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message. El módulo Remote App en Liferay Portal Liferay Portal v7.4.3.4 hasta v7.4.3.8 y Liferay DXP 7.4 antes de la actualización 5 no comprueba si el origen de los mensajes de evento que recibe coincide con el origen de la Remot... • http://liferay.com • CWE-346: Origin Validation Error •
CVSS: 5.4EPSS: 0%CPEs: 41EXPL: 0CVE-2021-38269
https://notcve.org/view.php?id=CVE-2021-38269
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Gogo Shell en Liferay Portal 7.1.0 hasta 7.3.6 y 7.4.0, y Liferay DXP 7.1 antes del paquete de correcciones 23, 7.2 antes... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-38267
https://notcve.org/view.php?id=CVE-2021-38267
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter. La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la página de edición de entradas de blog del módulo Blogs en Liferay Portal 7.3.... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 132EXPL: 0CVE-2021-38263
https://notcve.org/view.php?id=CVE-2021-38263
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script. La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la consola de secuencias de comandos del módulo Server en Liferay Portal 7.3.2 y anteriores, y Liferay DXP 7.0 antes del paquete de correccion... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38264
https://notcve.org/view.php?id=CVE-2021-38264
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463. Una vulnerabilidad de scripting cruzado (XSS) en el módulo Frontend Taglib en Liferay Portal 7.4.0 y 7.4.1 permite a los atacantes remotos inyectar script web o HTML arbitrario en la búsqueda de la barra de herramienta... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38265
https://notcve.org/view.php?id=CVE-2021-38265
02 Mar 2022 — Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter. Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Asset de Liferay Portal 7.3.4 a 7.3.6 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios al crear una página de colección ... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •