Vulnerabilities (CVE)

Filtered by vendor Liferay Subscribe
Filtered by product Liferay Portal
Total 150 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42125 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 7.5 HIGH
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
CVE-2022-42117 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.
CVE-2022-42129 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 4.3 MEDIUM
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.
CVE-2022-38902 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 5.4 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
CVE-2022-42118 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.
CVE-2022-42132 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 5.9 MEDIUM
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
CVE-2022-42113 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.
CVE-2022-39975 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 4.3 MEDIUM
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
CVE-2022-41414 1 Liferay 1 Liferay Portal 2024-02-28 N/A 5.3 MEDIUM
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
CVE-2022-42122 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 9.8 CRITICAL
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
CVE-2022-42127 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 5.3 MEDIUM
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
CVE-2022-42121 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 8.8 HIGH
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
CVE-2022-38901 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 5.4 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
CVE-2022-28979 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
CVE-2022-28982 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
CVE-2022-42116 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
CVE-2022-42126 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 4.3 MEDIUM
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
CVE-2022-42110 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.
CVE-2022-42124 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-02-28 N/A 7.5 HIGH
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
CVE-2022-42120 1 Liferay 2 Dxp, Liferay Portal 2024-02-28 N/A 9.8 CRITICAL
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.