Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68799?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68799?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.2.0", "type": "maven", "namespace": "com.liferay.portal", "name": "release.portal.bom", "version": "7.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.3.7", "latest_non_vulnerable_version": "7.4.3.120", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47058?format=api", "vulnerability_id": "VCID-1fqz-psdf-g7dm", "summary": "Liferay Portal and Liferay DXP User Enumeration Vulnerability\nUser enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268", "reference_id": "CVE-2024-26268", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26268", "reference_id": "CVE-2024-26268", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26268" }, { "reference_url": "https://github.com/advisories/GHSA-qm43-g2xj-hvg5", "reference_id": "GHSA-qm43-g2xj-hvg5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qm43-g2xj-hvg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69041?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.27-ga27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.27-ga27" } ], "aliases": [ "CVE-2024-26268", "GHSA-qm43-g2xj-hvg5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fqz-psdf-g7dm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47059?format=api", "vulnerability_id": "VCID-266t-4gfq-duh4", "summary": "Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel\nInformation disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150", "reference_id": "CVE-2024-25150", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25150", "reference_id": "CVE-2024-25150", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25150" }, { "reference_url": "https://github.com/advisories/GHSA-4585-28v2-8h46", "reference_id": "GHSA-4585-28v2-8h46", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4585-28v2-8h46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69044?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4-ga4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-11qf-d5xp-4fey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.4-ga4" } ], "aliases": [ "CVE-2024-25150", "GHSA-4585-28v2-8h46" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-266t-4gfq-duh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46963?format=api", "vulnerability_id": "VCID-77qw-vmwe-x3d4", "summary": "Liferay Portal denial of service (memory consumption)\nThe Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/29b73b9b896c7d44fb5d1800a402698c303d1cf6" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/4381c10ad0722b3b00c3e3567b68538ab0994145" }, { "reference_url": "https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/releases/tag/7.3.7-ga8" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143", "reference_id": "CVE-2024-25143", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25143", "reference_id": "CVE-2024-25143", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25143" }, { "reference_url": "https://github.com/advisories/GHSA-87m3-6qj3-p3xh", "reference_id": "GHSA-87m3-6qj3-p3xh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-87m3-6qj3-p3xh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68800?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.3.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.3.7" } ], "aliases": [ "CVE-2024-25143", "GHSA-87m3-6qj3-p3xh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-77qw-vmwe-x3d4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47054?format=api", "vulnerability_id": "VCID-8jv6-163j-a7b2", "summary": "Liferay Portal and Liferay DXP Does Not Properly Restrict Membership to Child Site Based on Parent Site Options\nLiferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the \"Limit membership to members of the parent site\" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/dfd287acb325e2cddced3910e3baba1d258509de", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/dfd287acb325e2cddced3910e3baba1d258509de" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149", "reference_id": "CVE-2024-25149", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25149", "reference_id": "CVE-2024-25149", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25149" }, { "reference_url": "https://github.com/advisories/GHSA-qpgh-6v9w-vfv6", "reference_id": "GHSA-qpgh-6v9w-vfv6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qpgh-6v9w-vfv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61432?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.2-ga3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.2-ga3" } ], "aliases": [ "CVE-2024-25149", "GHSA-qpgh-6v9w-vfv6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8jv6-163j-a7b2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47047?format=api", "vulnerability_id": "VCID-9471-umbz-pucy", "summary": "Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API\nThe Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130e" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605", "reference_id": "CVE-2024-25605", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25605", "reference_id": "CVE-2024-25605", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25605" }, { "reference_url": "https://github.com/advisories/GHSA-mf8h-grfg-j9j3", "reference_id": "GHSA-mf8h-grfg-j9j3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mf8h-grfg-j9j3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69030?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.5-ga5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.5-ga5" } ], "aliases": [ "CVE-2024-25605", "GHSA-mf8h-grfg-j9j3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9471-umbz-pucy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47064?format=api", "vulnerability_id": "VCID-9yw4-52sc-rbbz", "summary": "Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Two Forward Slashes\nHtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/3c5ee2054b44e4354cd2e53782914157ef2b5362", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/3c5ee2054b44e4354cd2e53782914157ef2b5362" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/5c9655c941b18d8948a0c38b2bc84f4a1f83543a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/5c9655c941b18d8948a0c38b2bc84f4a1f83543a" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/66f3ae610c24f10a6950e75e0ca4c981935244ed", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/66f3ae610c24f10a6950e75e0ca4c981935244ed" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/702a1e35896681f04ec3c7c8075aa87d5e16a18d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/702a1e35896681f04ec3c7c8075aa87d5e16a18d" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/7aca15e7195a03243d5461fcf09cde0fa7de81f0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/7aca15e7195a03243d5461fcf09cde0fa7de81f0" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/dca931af71a3d9fbd896a25b92396df8458d2886", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/dca931af71a3d9fbd896a25b92396df8458d2886" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f015ad20bd9ee1661ccff5fb48e03dd3a1ebf003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/f015ad20bd9ee1661ccff5fb48e03dd3a1ebf003" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609", "reference_id": "CVE-2024-25609", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25609", "reference_id": "CVE-2024-25609", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25609" }, { "reference_url": "https://github.com/advisories/GHSA-3qq5-wcrx-4h8r", "reference_id": "GHSA-3qq5-wcrx-4h8r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3qq5-wcrx-4h8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69055?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.13-ga13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.13-ga13" } ], "aliases": [ "CVE-2024-25609", "GHSA-3qq5-wcrx-4h8r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9yw4-52sc-rbbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47061?format=api", "vulnerability_id": "VCID-e5c7-wsvb-dyfm", "summary": "Liferay Portal and Liferay DXP HTTP Header Can Expose Versions\nIn Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267", "reference_id": "CVE-2024-26267", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26267", "reference_id": "CVE-2024-26267", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26267" }, { "reference_url": "https://github.com/advisories/GHSA-2mvj-q2q3-wxjv", "reference_id": "GHSA-2mvj-q2q3-wxjv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2mvj-q2q3-wxjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69048?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.26-ga26", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.26-ga26" } ], "aliases": [ "CVE-2024-26267", "GHSA-2mvj-q2q3-wxjv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e5c7-wsvb-dyfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46979?format=api", "vulnerability_id": "VCID-ggs5-4zac-vqa7", "summary": "Liferay Portal denial-of-service vulnerability\nThe IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144", "reference_id": "CVE-2024-25144", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25144", "reference_id": "CVE-2024-25144", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25144" }, { "reference_url": "https://github.com/advisories/GHSA-w275-m8cr-hf2v", "reference_id": "GHSA-w275-m8cr-hf2v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w275-m8cr-hf2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68840?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.27" } ], "aliases": [ "CVE-2024-25144", "GHSA-w275-m8cr-hf2v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ggs5-4zac-vqa7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46974?format=api", "vulnerability_id": "VCID-hw1d-gdcv-vkec", "summary": "Liferay Portal vulnerable to user impersonation\nIn Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148", "reference_id": "CVE-2024-25148", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25148", "reference_id": "CVE-2024-25148", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25148" }, { "reference_url": "https://github.com/advisories/GHSA-qwj8-qgpr-8crm", "reference_id": "GHSA-qwj8-qgpr-8crm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qwj8-qgpr-8crm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68824?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4mcy-yw2p-v7bd" }, { "vulnerability": "VCID-b7h9-cxkj-hkc8" }, { "vulnerability": "VCID-h261-uqtv-yfek" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.2" } ], "aliases": [ "CVE-2024-25148", "GHSA-qwj8-qgpr-8crm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hw1d-gdcv-vkec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47065?format=api", "vulnerability_id": "VCID-k9yt-aj7x-3bht", "summary": "Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character\nHtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608", "reference_id": "CVE-2024-25608", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25608", "reference_id": "CVE-2024-25608", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25608" }, { "reference_url": "https://github.com/advisories/GHSA-548x-j6x6-hcv4", "reference_id": "GHSA-548x-j6x6-hcv4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-548x-j6x6-hcv4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69072?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.19-ga19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.19-ga19" } ], "aliases": [ "CVE-2024-25608", "GHSA-548x-j6x6-hcv4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k9yt-aj7x-3bht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47063?format=api", "vulnerability_id": "VCID-mcea-q7za-duay", "summary": "Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions to Edit Permissions\nLiferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/4a196df20e180be76944cd0c623df486379d7724", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/4a196df20e180be76944cd0c623df486379d7724" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f028316fa975d2e13bed7ef49d69ab77f412765e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal/commit/f028316fa975d2e13bed7ef49d69ab77f412765e" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604", "reference_id": "CVE-2024-25604", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25604", "reference_id": "CVE-2024-25604", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25604" }, { "reference_url": "https://github.com/advisories/GHSA-pw7p-3648-qqmg", "reference_id": "GHSA-pw7p-3648-qqmg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pw7p-3648-qqmg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69030?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.5-ga5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.5-ga5" } ], "aliases": [ "CVE-2024-25604", "GHSA-pw7p-3648-qqmg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcea-q7za-duay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46977?format=api", "vulnerability_id": "VCID-p9am-1rhf-6bh2", "summary": "Observable Response Discrepancy\nLiferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.", "references": [ { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146", "reference_id": "CVE-2024-25146", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25146", "reference_id": "CVE-2024-25146", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25146" }, { "reference_url": "https://github.com/advisories/GHSA-mqf8-4cqm-p83x", "reference_id": "GHSA-mqf8-4cqm-p83x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mqf8-4cqm-p83x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68824?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4mcy-yw2p-v7bd" }, { "vulnerability": "VCID-b7h9-cxkj-hkc8" }, { "vulnerability": "VCID-h261-uqtv-yfek" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.2" } ], "aliases": [ "CVE-2024-25146", "GHSA-mqf8-4cqm-p83x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9am-1rhf-6bh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47086?format=api", "vulnerability_id": "VCID-qks2-mqk8-wffq", "summary": "Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting\nCross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269", "reference_id": "CVE-2024-26269", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26269", "reference_id": "CVE-2024-26269", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26269" }, { "reference_url": "https://github.com/advisories/GHSA-rwhv-hvj2-qrqm", "reference_id": "GHSA-rwhv-hvj2-qrqm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rwhv-hvj2-qrqm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69086?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.38", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.38" } ], "aliases": [ "CVE-2024-26269", "GHSA-rwhv-hvj2-qrqm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qks2-mqk8-wffq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46973?format=api", "vulnerability_id": "VCID-ub82-jbgf-mfb8", "summary": "Liferay Portal's account lockout does not invalidate existing user sessions\nAccount lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798", "reference_id": "CVE-2023-47798", "reference_type": "", "scores": [], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47798", "reference_id": "CVE-2023-47798", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47798" }, { "reference_url": "https://github.com/advisories/GHSA-2mx7-xvfg-fg53", "reference_id": "GHSA-2mx7-xvfg-fg53", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2mx7-xvfg-fg53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65206?format=api", "purl": "pkg:maven/com.liferay.portal/release.portal.bom@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pdbx-p4mr-97h4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.3.1" } ], "aliases": [ "CVE-2023-47798", "GHSA-2mx7-xvfg-fg53" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ub82-jbgf-mfb8" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.2.0" }