CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33321
https://notcve.org/view.php?id=CVE-2021-33321
03 Aug 2021 — Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. Una configuración no segura predeterminada en Liferay Portal versiones 6.2.3 hasta 7.3.2, y Liferay DXP versiones anteriores a 7.3, permite a atacantes remotos enumerar la dirección de correo electrónico del usuario por medio de la funcional... • https://help.liferay.com/hc/en-us/articles/360050785632 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2021-33320
https://notcve.org/view.php?id=CVE-2021-33320
03 Aug 2021 — The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails El módulo Flags en Liferay Portal versiones 7.3.1 y anteriores, y Liferay DXP versiones 7.0 anteriores a fix pack 96, versiones 7.1 anteriores a fix pack 20, y versiones 7.2 anteriores a fix pack 5, no limita l... • https://issues.liferay.com/browse/LPE-17007 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29052
https://notcve.org/view.php?id=CVE-2021-29052
17 May 2021 — The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls. El módulo Data Engine en Liferay Portal versiones 7.3.0 hasta 7.3.5 y Liferay DXP versiones 7.3 anteriores a fixpack 1 no comprueba los permisos en DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefi... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2021-29048
https://notcve.org/view.php?id=CVE-2021-29048
17 May 2021 — Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en la página de administración page del módulo Layout en Liferay Portal versiones 7.3.4, 7.3.5 y Liferay DXP versiones 7.2 anterio... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 33EXPL: 0CVE-2021-29051
https://notcve.org/view.php?id=CVE-2021-29051
17 May 2021 — Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en la aplicación Asset Publisher del módulo Asset en Liferay Portal... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 98EXPL: 0CVE-2021-29044
https://notcve.org/view.php?id=CVE-2021-29044
17 May 2021 — Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en las páginas de administración de peticiones de membresía... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 98EXPL: 0CVE-2021-29043
https://notcve.org/view.php?id=CVE-2021-29043
17 May 2021 — The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. El módulo Portal Store en Liferay Portal versiones 7.0.0 hasta 7.3.5 y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anterio... • http://liferay.com • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29045
https://notcve.org/view.php?id=CVE-2021-29045
17 May 2021 — Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en la página de administración de redireccionamiento del módulo Redirect en Liferay Portal versiones 7.3.2 hasta 7.3.5, y Lifer... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-29047
https://notcve.org/view.php?id=CVE-2021-29047
16 May 2021 — The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer. La implementación de SimpleCaptcha en Liferay Portal versiones 7.3.4, 7.3.5 y Liferay DXP versiones 7.3 anteriores al fixpack 1, no invalida las respuestas CAPTCHA después de su uso, lo que permite a atacantes remotos llevar a ... • http://liferay.com • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 98EXPL: 0CVE-2021-29040
https://notcve.org/view.php?id=CVE-2021-29040
16 May 2021 — The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs. Los servicios web JSON en Liferay Portal versiones 7.3.4 y anteriores, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 20 y versiones 7.2 anterio... • http://liferay.com • CWE-209: Generation of Error Message Containing Sensitive Information •