CVE-2010-5327
https://notcve.org/view.php?id=CVE-2010-5327
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template. Liferay Portal hasta la versión 6.2.10 permite a usuarios remotos autenticados ejecutar comandos shell arbitrarios a través de una plantilla Velocity manipulada. • https://dev.liferay.com/web/community-security-team/known-vulnerabilities https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91 https://issues.liferay.com/browse/LPE-14964 https://issues.liferay.com/browse/LPS-64547 https://issues.liferay.com/browse/LPS-7087 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-3670 – Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-3670
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field. Vulnerabilidad de XSS en users.jsp en la funcionalidad Profile Search functionality en Liferay en versiones anteriores a 7.0.0 CE RC1 permite a atacantes remotos inyectar comandos web o HTML arbitrarios a través del campo FirstName. Liferay CE versions prior to 6.2 CE GA6 suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/39880 http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2016/Jun/5 http://www.securitytracker.com/id/1036083 https://issues.liferay.com/browse/LPS-62387 https://labs.integrity.pt/advisories/cve-2016-3670 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8349
https://notcve.org/view.php?id=CVE-2014-8349
Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file. Vulnerabilidad de XSS en Liferay Portal Enterprise Edition (EE) 6.2 SP8 y anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro _20_body en el campo de comentario en un fichero subido. • http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Nov/61 http://www.securitytracker.com/id/1031255 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-2963
https://notcve.org/view.php?id=CVE-2014-2963
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter. Múltiples vulnerabilidades de XSS en group/control_panel/manage en Liferay Portal 6.1.2 CE GA3, 6.1.X EE y 6.2.X EE permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) _2_firstName, (2) _2_lastName o (3) _2_middleName. • http://www.kb.cert.org/vuls/id/100972 https://github.com/samuelkong/liferay-portal/pull/610 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-1570
https://notcve.org/view.php?id=CVE-2011-1570
Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Liferay Portal Community Edition (CE) v6.x anterior a v6.0.6 GA, cuando Apache Tomcat es utilizado, permite a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a través de un mensaje titulo, una vulnerabilidad diferente a CVE-2004-2030. • http://issues.liferay.com/browse/LPS-12628 http://issues.liferay.com/browse/LPS-13250 http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952 http://openwall.com/lists/oss-security/2011/03/29/1 http://openwall.com/lists/oss-security/2011/04/08/5 http://openwall.com/lists/oss-security/2011/04/11/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •