CVSS: 9.0EPSS: 0%CPEs: 104EXPL: 1CVE-2023-42628
https://notcve.org/view.php?id=CVE-2023-42628
17 Oct 2023 — Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field. Vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el widget Wiki en Liferay Por... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 36EXPL: 0CVE-2023-44310
https://notcve.org/view.php?id=CVE-2023-44310
17 Oct 2023 — Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field. Vulnerabilidad de Cross-Site Scripting (XSS) almacenada en Page Tree menu Liferay Portal 7.3.6 hasta 7.4.3.78, y Liferay DXP 7.3 fixpack 1 hasta la actualización 23, y 7.4 antes de la actualización 79 permit... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33949
https://notcve.org/view.php?id=CVE-2023-33949
24 May 2023 — In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.5EPSS: 0%CPEs: 50EXPL: 0CVE-2023-33939
https://notcve.org/view.php?id=CVE-2023-33939
24 May 2023 — Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 31EXPL: 0CVE-2023-33937
https://notcve.org/view.php?id=CVE-2023-33937
24 May 2023 — Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
15 Nov 2022 — The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de l... • http://liferay.com • CWE-276: Incorrect Default Permissions •
CVSS: 4.8EPSS: 0%CPEs: 48EXPL: 0CVE-2022-42131
https://notcve.org/view.php?id=CVE-2022-42131
15 Nov 2022 — Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. Ciertos productos de Liferay se ven afectados por: Falta de Validación de Certificado SSL en los proveedores de datos REST del módulo Dynamic Data Mapping. Esto afecta a Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pac... • http://liferay.com • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 151EXPL: 0CVE-2022-42132
https://notcve.org/view.php?id=CVE-2022-42132
15 Nov 2022 — The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. La funcionalidad Probar usuarios de LDAP en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.0 fixpack 102... • http://liferay.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 114EXPL: 0CVE-2022-26596
https://notcve.org/view.php?id=CVE-2022-26596
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la página de configuración de visualización de contenido web del módulo Journal en Liferay Portal versiones 7.1.0 hasta 7.3.3, y L... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26597
https://notcve.org/view.php?id=CVE-2022-26597
25 Apr 2022 — Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. Una vulnerabilidad de tipo cross-site scripting (XSS) en la integración de Open Graph del módulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio de... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •