Search for packages
| purl | pkg:maven/com.liferay.portal/release.portal.bom@7.2.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18rc-sf32-2uf1
Aliases: CVE-2023-37940 GHSA-px38-239g-x5mg |
Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field. |
Affected by 52 other vulnerabilities. |
|
VCID-2ecb-ttx2-akfv
Aliases: CVE-2021-33321 GHSA-jfch-m2x3-2v66 |
Liferay Portal and Liferay DXP insecure default configuration Insecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. |
Affected by 59 other vulnerabilities. |
|
VCID-2f2r-qffz-mfgz
Aliases: CVE-2024-25151 GHSA-hgr6-6hhw-883f |
Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client. |
Affected by 73 other vulnerabilities. |
|
VCID-2mj1-ag1g-cua8
Aliases: CVE-2022-45320 GHSA-mc8m-4r3w-q2hw |
Privilege escalation in Liferay Portal Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page. |
Affected by 60 other vulnerabilities. |
|
VCID-33gp-mfve-tfep
Aliases: CVE-2024-25610 GHSA-vvpf-53qx-cxhh |
Liferay Portal has a Stored XSS with Blog entries (Insecure defaults) In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field. |
Affected by 64 other vulnerabilities. |
|
VCID-36t8-hged-ekdu
Aliases: CVE-2024-25602 GHSA-v2xq-m22w-jmpr |
Liferay Portal and Liferay DXP's Users Admin module vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field |
Affected by 72 other vulnerabilities. |
|
VCID-3c5w-ggtq-cqe7
Aliases: CVE-2024-26265 GHSA-29xx-fhff-36m7 |
Liferay Portal vulnerable to Denial of Service The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter. |
Affected by 60 other vulnerabilities. |
|
VCID-3f6j-kwvs-6ugd
Aliases: CVE-2024-26267 GHSA-2mvj-q2q3-wxjv |
Liferay Portal and Liferay DXP HTTP Header Can Expose Versions In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header. |
Affected by 0 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-4wqj-6chv-ryfw
Aliases: CVE-2021-33335 GHSA-5gh9-g62h-f35m |
Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user. |
Affected by 60 other vulnerabilities. |
|
VCID-59hg-58e6-q3hq
Aliases: CVE-2022-42130 GHSA-mxvq-cv4x-p3jw |
Incorrect Default Permissions in Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. |
Affected by 69 other vulnerabilities. |
|
VCID-5pe7-5247-suab
Aliases: CVE-2024-25147 GHSA-xpjg-7hx7-wgcx |
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links. |
Affected by 79 other vulnerabilities. |
|
VCID-6e8x-qeby-u3d1
Aliases: CVE-2025-3760 GHSA-qhp6-vp7c-g7xp |
Liferay Cross-site Scripting vulnerability A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. |
Affected by 18 other vulnerabilities. |
|
VCID-6sgc-ycxe-y3fe
Aliases: CVE-2020-15840 GHSA-vrwx-q9pj-x488 |
Liferay Portal and Liferay DXP Bypass via Double Encoded URL In Liferay Portal before 7.3.1, com.liferay.portal:com.liferay.portal.impl before 7.1.3 and 7.4.0, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs. |
Affected by 60 other vulnerabilities. |
|
VCID-6tcj-y2c3-fubp
Aliases: CVE-2023-33937 GHSA-v6m2-j92j-2h78 |
Cross-site scripting in Liferay Portal Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field. |
Affected by 60 other vulnerabilities. |
|
VCID-7jy4-y541-y7cy
Aliases: CVE-2024-26269 GHSA-rwhv-hvj2-qrqm |
Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL. |
Affected by 52 other vulnerabilities. |
|
VCID-7r16-vwh1-zya5
Aliases: CVE-2021-33328 GHSA-vpvm-3wfw-5f5c |
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in Edit Vocabulary Page Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. |
Affected by 60 other vulnerabilities. |
|
VCID-89xx-vse5-4ubh
Aliases: CVE-2021-33332 GHSA-9995-qvcg-x7g6 |
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter. |
Affected by 60 other vulnerabilities. |
|
VCID-95pj-kw78-1bbf
Aliases: CVE-2021-33334 GHSA-g37f-j8hh-736f |
Liferay Portal and Liferay DXP Fails to Properly Check User Permissions The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration. |
Affected by 60 other vulnerabilities. |
|
VCID-agc1-9p3t-1yhs
Aliases: CVE-2020-25476 GHSA-pvpg-9553-f979 |
Liferay Portal Vulnerable to Cross-Site Scripting (XSS) via User Name Parameter Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload. |
Affected by 61 other vulnerabilities. |
|
VCID-bh4a-9r76-buh3
Aliases: CVE-2020-13445 GHSA-v377-8f8f-532h |
Liferay Portal and Liferay DXP Vulnerable to Arbitrary Code Execution In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates. |
Affected by 63 other vulnerabilities. |
|
VCID-c86c-e9ym-jud2
Aliases: CVE-2024-26268 GHSA-qm43-g2xj-hvg5 |
Liferay Portal and Liferay DXP User Enumeration Vulnerability User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time. |
Affected by 0 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-c8qf-rhg7-r7en
Aliases: CVE-2020-7934 GHSA-f99h-h678-fgg4 |
Liferay Portal Vulnerable to Persistent Cross-Site Scripting (XSS) in MyAccountPortlet In LifeRay Portal CE 7.1.0 through 7.2.1, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). |
Affected by 62 other vulnerabilities. |
|
VCID-cju2-b53t-sqby
Aliases: CVE-2021-29040 GHSA-87x7-pwrx-jch7 |
Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs. |
Affected by 60 other vulnerabilities. |
|
VCID-da1k-nezs-xfh8
Aliases: CVE-2022-41414 GHSA-9427-7f65-88c8 |
Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. |
Affected by 0 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-dah3-w7pd-43cp
Aliases: CVE-2024-25604 GHSA-pw7p-3648-qqmg |
Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions to Edit Permissions Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel. |
Affected by 0 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-edx8-nkvm-7qh5
Aliases: CVE-2024-25143 GHSA-87m3-6qj3-p3xh |
Liferay Portal denial of service (memory consumption) The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images. |
Affected by 52 other vulnerabilities. |
|
VCID-ejsh-acyx-2bda
Aliases: CVE-2024-25608 GHSA-548x-j6x6-hcv4 |
Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-fw85-s4c1-bkg5
Aliases: CVE-2020-24554 GHSA-mg53-xr8m-86hw |
Open Redirect in Liferay Portal The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. |
Affected by 59 other vulnerabilities. |
|
VCID-h1cb-zuuy-tyf9
Aliases: CVE-2020-15842 GHSA-mg3r-9jh8-33r9 |
Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. |
Affected by 62 other vulnerabilities. |
|
VCID-j1bu-gxq7-abcx
Aliases: CVE-2024-8980 GHSA-chj2-4vg7-hhg3 |
Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. This issue has been patched in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 Update 36. |
Affected by 0 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-j1sr-kz76-wuew
Aliases: CVE-2024-25145 GHSA-9vgq-w5pv-v77q |
Liferay Portal stored cross-site scripting (XSS) vulnerability Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application. |
Affected by 66 other vulnerabilities. |
|
VCID-j6nv-5sjy-ykdy
Aliases: CVE-2024-25150 GHSA-4585-28v2-8h46 |
Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names. |
Affected by 1 other vulnerability. Affected by 69 other vulnerabilities. |
|
VCID-jc82-h5sv-gqh2
Aliases: CVE-2021-33331 GHSA-mj8w-h522-jwm8 |
Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter. |
Affected by 60 other vulnerabilities. |
|
VCID-jpkw-3wk4-ebfq
Aliases: CVE-2021-29044 GHSA-wcr5-3q96-c2gr |
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Membership Request Admin Page Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter. |
Affected by 51 other vulnerabilities. |
|
VCID-km7p-5bjk-nkd4
Aliases: CVE-2021-33324 GHSA-474f-cmx5-gm69 |
Liferay Portal and Liferay DXP Don't Check Permissions of Pages The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration. |
Affected by 63 other vulnerabilities. |
|
VCID-ngx4-7y39-63bf
Aliases: CVE-2024-25603 GHSA-44jg-jgjx-3xg5 |
Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter. |
Affected by 69 other vulnerabilities. |
|
VCID-nh3b-vkjh-y7ee
Aliases: CVE-2024-25152 GHSA-p28x-4r5h-ph6j |
Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment. |
Affected by 72 other vulnerabilities. |
|
VCID-nuc4-xyd4-33g3
Aliases: CVE-2021-33330 GHSA-6xxc-4jc4-7jv3 |
Exposure of Resource to Wrong Sphere in Liferay Portal Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token. |
Affected by 59 other vulnerabilities. |
|
VCID-nzn2-n9hz-67ea
Aliases: CVE-2024-26266 GHSA-rwxc-4cmw-7x75 |
Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget. |
Affected by 61 other vulnerabilities. |
|
VCID-q8ay-yhsa-s7be
Aliases: CVE-2024-25601 GHSA-cr36-3vqf-x5w5 |
Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field. |
Affected by 72 other vulnerabilities. |
|
VCID-qj75-4nd9-v3h8
Aliases: CVE-2020-15841 GHSA-773f-f929-qgjj |
Liferay Portal and Liferay DXP Potentially Reveal LDAP Server Password via Unsafe Connection Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. |
Affected by 62 other vulnerabilities. |
|
VCID-qn7s-y6wj-jfcg
Aliases: CVE-2021-33338 GHSA-4frg-rpx6-96qh |
Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. |
Affected by 59 other vulnerabilities. |
|
VCID-rrc5-43t6-yfb2
Aliases: CVE-2025-43748 GHSA-p9gc-59hf-x48p |
Liferay Portal Vulnerable to Cross-Site Request Forgery Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery |
Affected by 23 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rxws-w8x6-sua4
Aliases: CVE-2024-11993 GHSA-4hxr-28mv-q729 |
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field |
Affected by 51 other vulnerabilities. |
|
VCID-s9md-17hh-yfa3
Aliases: CVE-2024-25146 GHSA-mqf8-4cqm-p83x |
Liferay Portal allows attackers to discover the existence of sites Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used. |
Affected by 77 other vulnerabilities. |
|
VCID-sect-yjwh-1qew
Aliases: CVE-2024-25609 GHSA-3qq5-wcrx-4h8r |
Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Two Forward Slashes HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977. |
Affected by 0 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-ssys-9pqn-9kd7
Aliases: CVE-2024-25605 GHSA-mf8h-grfg-j9j3 |
Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API. |
Affected by 0 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-uk3w-ehxr-ybe7
Aliases: CVE-2024-25148 GHSA-qwj8-qgpr-8crm |
Liferay Portal vulnerable to user impersonation In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content. |
Affected by 77 other vulnerabilities. |
|
VCID-ur67-cmfj-mbas
Aliases: CVE-2024-25149 GHSA-qpgh-6v9w-vfv6 |
Liferay Portal and Liferay DXP Does Not Properly Restrict Membership to Child Site Based on Parent Site Options Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site. |
Affected by 0 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-vxds-7hfx-kkdq
Aliases: CVE-2022-42131 GHSA-cx84-43xc-3gm2 |
Improper Certificate Validation in Liferay Portal Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3. |
Affected by 73 other vulnerabilities. |
|
VCID-wt4h-fpcv-r3gq
Aliases: CVE-2022-42132 GHSA-f43m-hhj4-q3jg |
Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. |
Affected by 0 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-x4dx-kkwq-z7ev
Aliases: CVE-2023-33939 GHSA-53mw-69qx-q4fc |
Cross-site scripting in Liferay Portal Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. |
Affected by 64 other vulnerabilities. |
|
VCID-x9pp-w4xg-vyhn
Aliases: CVE-2024-25607 GHSA-43h9-p3j4-39hm |
Liferay Portal defaults to a low work factor for the default password hashing algorithm The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. |
Affected by 61 other vulnerabilities. |
|
VCID-xn6e-me54-7bd5
Aliases: CVE-2021-29043 GHSA-xx2h-2hf5-v7vv |
Liferay Portal and Liferay DXP May Reveal S3 Store's Proxy Password The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. |
Affected by 51 other vulnerabilities. |
|
VCID-xrvs-e1n4-hqhb
Aliases: CVE-2024-25144 GHSA-w275-m8cr-hf2v |
Liferay Portal denial-of-service vulnerability The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame. |
Affected by 57 other vulnerabilities. |
|
VCID-yeg5-jj4h-wqfc
Aliases: CVE-2023-47798 GHSA-2mx7-xvfg-fg53 |
Liferay Portal's account lockout does not invalidate existing user sessions Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked. |
Affected by 60 other vulnerabilities. |
|
VCID-yexm-7ts5-6bes
Aliases: CVE-2020-13444 GHSA-8j5r-9687-88w5 |
Liferay Portal and Liferay DXP Fails to Sanitize API Data Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 19, and 7.2 before fix pack 7, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. |
Affected by 63 other vulnerabilities. |
|
VCID-yh6t-s54s-aqg1
Aliases: CVE-2023-33949 GHSA-g9mr-9xfc-4gf7 |
Insecure Default Initialization In Liferay Portal In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true. |
Affected by 60 other vulnerabilities. |
|
VCID-yy64-v5fu-yuaq
Aliases: CVE-2021-33333 GHSA-g7xc-m762-wg8f |
Liferay Portal and Liferay DXP Fails to Check User Permissions for Workflow Submissions The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs. |
Affected by 60 other vulnerabilities. |
|
VCID-z8y3-sx1w-7ycm
Aliases: CVE-2024-25606 GHSA-869h-qhfx-w939 |
Liferay Portal has an XXE vulnerability in Java2WsddTask._format XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method. |
Affected by 67 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||