Vulnerabilites related to liferay - liferay_portal
cve-2024-25606
Vulnerability from cvelistv5
Published
2024-02-20 09:03
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T13:32:40.505546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:56.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.7",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u3",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u11",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."
}
],
"value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T09:03:19.221Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25606",
"datePublished": "2024-02-20T09:03:19.221Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26267
Vulnerability from cvelistv5
Published
2024-02-20 13:01
Modified
2024-08-02 00:07
Severity ?
EPSS score ?
Summary
In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T15:20:52.766968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:00.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:17.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.25",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u25",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u4",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via \u0027Liferay-Portal` response header."
}
],
"value": "In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via \u0027Liferay-Portal` response header."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T13:02:05.832Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26267",
"datePublished": "2024-02-20T13:01:23.251Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-02T00:07:17.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25604
Vulnerability from cvelistv5
Published
2024-02-20 08:40
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T18:38:45.740772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:25.137Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.4",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13"
},
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel."
}
],
"value": "Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T08:40:59.252Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25604",
"datePublished": "2024-02-20T08:40:59.252Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42627
Vulnerability from cvelistv5
Published
2023-10-17 12:08
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627 | vendor-advisory | |
| https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ | third-party-advisory, exploit |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:39.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627"
},
{
"tags": [
"third-party-advisory",
"exploit",
"x_transferred"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10.*",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u91",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.91",
"status": "affected",
"version": "7.3.5",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael Oelke"
}
],
"datePublic": "2023-10-17T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code."
}
],
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T02:28:51.923Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42627",
"datePublished": "2023-10-17T12:08:22.684Z",
"dateReserved": "2023-09-12T05:35:42.826Z",
"dateUpdated": "2024-08-02T19:23:39.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26268
Vulnerability from cvelistv5
Published
2024-02-20 13:17
Modified
2024-08-15 17:50
Severity ?
EPSS score ?
Summary
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:liferay_enterprise_portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "liferay_enterprise_portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.26",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibexa:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "ibexa",
"versions": [
{
"lessThanOrEqual": "7.4.13.u26",
"status": "affected",
"version": "7.4.13",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.10.u7",
"status": "affected",
"version": "7.3.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T16:17:11.147707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T17:50:15.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.26",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u26",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u7",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Barnab\u00e1s Horv\u00e1th (T4r0)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time."
}
],
"value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T03:50:53.570Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26268",
"datePublished": "2024-02-20T13:17:28.137Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-15T17:50:15.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42127
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127"
},
{
"url": "https://issues.liferay.com/browse/LPE-17607"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42127",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10795
Vulnerability from cvelistv5
Published
2018-05-07 13:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files
References
| ▼ | URL | Tags |
|---|---|---|
| https://cxsecurity.com/issue/WLB-2018050029 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:46.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2018050029"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-15T11:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2018050029"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10795",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cxsecurity.com/issue/WLB-2018050029",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2018050029"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10795",
"datePublished": "2018-05-07T13:00:00",
"dateReserved": "2018-05-07T00:00:00",
"dateUpdated": "2024-08-05T07:46:46.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-1503
Vulnerability from cvelistv5
Published
2011-05-07 19:00
Modified
2024-09-17 01:50
Severity ?
EPSS score ?
Summary
The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
References
| ▼ | URL | Tags |
|---|---|---|
| http://openwall.com/lists/oss-security/2011/04/08/5 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/04/11/9 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/03/29/1 | mailing-list, x_refsource_MLIST | |
| http://issues.liferay.com/browse/LPS-13762 | x_refsource_CONFIRM | |
| http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:41.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-13762"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-05-07T19:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-13762"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-1503",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"name": "http://issues.liferay.com/browse/LPS-13762",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-13762"
},
{
"name": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1503",
"datePublished": "2011-05-07T19:00:00Z",
"dateReserved": "2011-03-21T00:00:00Z",
"dateUpdated": "2024-09-17T01:50:53.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15839
Vulnerability from cvelistv5
Published
2020-09-22 17:27
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17029 | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-17055 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:22.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17029"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17055"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-22T17:27:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17029"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17055"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15839",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928"
},
{
"name": "https://issues.liferay.com/browse/LPE-17029",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17029"
},
{
"name": "https://issues.liferay.com/browse/LPE-17055",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17055"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15839",
"datePublished": "2020-09-22T17:27:49",
"dateReserved": "2020-07-20T00:00:00",
"dateUpdated": "2024-08-04T13:30:22.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33336
Vulnerability from cvelistv5
Published
2021-08-04 12:53
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17078 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17078"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Journal module\u0027s add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-04T12:53:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17078"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33336",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Journal module\u0027s add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"
},
{
"name": "https://issues.liferay.com/browse/LPE-17078",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17078"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33336",
"datePublished": "2021-08-04T12:53:41",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42128
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:44.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17595"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128"
},
{
"url": "https://issues.liferay.com/browse/LPE-17595"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42128",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:44.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29040
Vulnerability from cvelistv5
Published
2021-05-16 15:03
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-16T15:03:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29040",
"datePublished": "2021-05-16T15:03:16",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-38901
Vulnerability from cvelistv5
Published
2022-10-19 00:00
Modified
2024-08-03 11:02
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-19T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38901",
"datePublished": "2022-10-19T00:00:00",
"dateReserved": "2022-08-29T00:00:00",
"dateUpdated": "2024-08-03T11:02:14.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26596
Vulnerability from cvelistv5
Published
2022-04-25 15:41
Modified
2024-08-03 05:03
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:32.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Journal module\u0027s web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-25T15:41:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26596",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Journal module\u0027s web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26596",
"datePublished": "2022-04-25T15:41:28",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:03:32.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28978
Vulnerability from cvelistv5
Published
2022-09-21 23:38
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:58.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Site module\u0027s user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user\u0027s name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T23:38:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28978",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored cross-site scripting (XSS) vulnerability in the Site module\u0027s user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user\u0027s name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28978",
"datePublished": "2022-09-21T23:38:59",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:58.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25145
Vulnerability from cvelistv5
Published
2024-02-07 14:57
Modified
2024-08-22 19:00
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.11",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-08T17:02:17.600468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T19:00:34.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.11",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u7",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app\u0027s search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app\u0027s search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-07T14:57:33.054Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25145",
"datePublished": "2024-02-07T14:57:33.054Z",
"dateReserved": "2024-02-06T10:32:42.566Z",
"dateUpdated": "2024-08-22T19:00:34.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16147
Vulnerability from cvelistv5
Published
2019-09-09 20:45
Modified
2024-08-05 01:10
Severity ?
EPSS score ?
Summary
Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:40.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T20:45:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f",
"refsource": "MISC",
"url": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16147",
"datePublished": "2019-09-09T20:45:18",
"dateReserved": "2019-09-09T00:00:00",
"dateUpdated": "2024-08-05T01:10:40.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-6588
Vulnerability from cvelistv5
Published
2019-06-03 19:43
Modified
2024-08-04 20:23
Severity ?
EPSS score ?
Summary
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:23:22.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-12T19:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-6588",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"name": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-6588",
"datePublished": "2019-06-03T19:43:42",
"dateReserved": "2019-01-22T00:00:00",
"dateUpdated": "2024-08-04T20:23:22.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25608
Vulnerability from cvelistv5
Published
2024-02-20 09:26
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:50:15.005965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:47.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.18",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u18",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the \u0027REPLACEMENT CHARACTER\u0027 (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect."
}
],
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the \u0027REPLACEMENT CHARACTER\u0027 (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T09:26:10.743Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25608",
"datePublished": "2024-02-20T09:26:10.743Z",
"dateReserved": "2024-02-08T13:57:11.426Z",
"dateUpdated": "2024-08-01T23:44:09.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42120
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.509Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences\u0027 `namespace` attribute."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120"
},
{
"url": "https://issues.liferay.com/browse/LPE-17513"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42120",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38263
Vulnerability from cvelistv5
Published
2022-03-02 23:10
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-17061 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Server module\u0027s script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T11:18:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17061"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Server module\u0027s script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page"
},
{
"name": "https://issues.liferay.com/browse/LPE-17061",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17061"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38263",
"datePublished": "2022-03-02T23:10:21",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42119
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17632"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119"
},
{
"url": "https://issues.liferay.com/browse/LPE-17632"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42119",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26595
Vulnerability from cvelistv5
Published
2022-04-19 12:52
Modified
2024-08-03 05:03
Severity ?
EPSS score ?
Summary
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:33.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user\u0027s site membership assignment UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T12:52:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user\u0027s site membership assignment UI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26595",
"datePublished": "2022-04-19T12:52:20",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:03:33.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25602
Vulnerability from cvelistv5
Published
2024-02-21 01:45
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T15:23:34.173155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:59.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in Users Admin module\u0027s edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization\u2019s \u201cName\u201d text field"
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in Users Admin module\u0027s edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization\u2019s \u201cName\u201d text field"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T01:45:15.312Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25602",
"datePublished": "2024-02-21T01:45:15.312Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38267
Vulnerability from cvelistv5
Published
2022-03-02 23:15
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Blogs module\u0027s edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T13:23:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38267",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Blogs module\u0027s edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38267",
"datePublished": "2022-03-02T23:15:45",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40191
Vulnerability from cvelistv5
Published
2024-02-21 03:06
Modified
2024-08-02 18:24
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:04:15.992539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:49.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.97",
"status": "affected",
"version": "7.4.3.44",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13.u44",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amin ACHOUR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the \u201cBlocked Email Domains\u201d text field"
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the \u201cBlocked Email Domains\u201d text field"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T03:06:30.224Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-40191",
"datePublished": "2024-02-21T03:06:30.224Z",
"dateReserved": "2023-08-10T07:17:26.967Z",
"dateUpdated": "2024-08-02T18:24:55.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-41414
Vulnerability from cvelistv5
Published
2022-10-07 00:00
Modified
2024-08-03 12:42
Severity ?
EPSS score ?
Summary
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:42:46.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41414",
"datePublished": "2022-10-07T00:00:00",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-08-03T12:42:46.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26265
Vulnerability from cvelistv5
Published
2024-02-20 12:51
Modified
2024-10-02 15:35
Severity ?
EPSS score ?
Summary
The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:41:28.464221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:44.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:17.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.15",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u15",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system\u0027s temp folder by modifying the `maxFileSize` parameter."
}
],
"value": "The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system\u0027s temp folder by modifying the `maxFileSize` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:35:51.464Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26265",
"datePublished": "2024-02-20T12:51:48.261Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-10-02T15:35:51.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42114
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:44.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42114"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Role module\u0027s edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42114"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42114",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:44.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33339
Vulnerability from cvelistv5
Published
2021-08-04 12:48
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17102 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17102"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-04T12:48:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17102"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33339",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934"
},
{
"name": "https://issues.liferay.com/browse/LPE-17102",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17102"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33339",
"datePublished": "2021-08-04T12:48:21",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33945
Vulnerability from cvelistv5
Published
2023-05-24 15:22
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:49:11.404495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:59.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.17",
"status": "affected",
"version": "7.3.1",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10.u5",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u17",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table\u0027s primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded."
}
],
"value": "SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table\u0027s primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T15:22:39.081Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33945",
"datePublished": "2023-05-24T15:22:39.081Z",
"dateReserved": "2023-05-24T02:36:00.164Z",
"dateUpdated": "2024-10-22T15:51:59.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-38512
Vulnerability from cvelistv5
Published
2022-09-22 00:17
Modified
2024-08-03 10:54
Severity ?
EPSS score ?
Summary
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page\u0027s XLIFF translation file via crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T00:17:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-38512",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page\u0027s XLIFF translation file via crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38512",
"datePublished": "2022-09-22T00:17:41",
"dateReserved": "2022-08-22T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25607
Vulnerability from cvelistv5
Published
2024-02-20 09:17
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:7.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.3.10:*:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4.13:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.4.13.u15",
"status": "affected",
"version": "7.4.13",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:liferay_portal:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "liferay_portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.2.1",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.4.3.13",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25607",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T13:27:04.966342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T19:15:32.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.15",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u15",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes."
}
],
"value": "The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T09:17:04.894Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25607",
"datePublished": "2024-02-20T09:17:04.894Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29045
Vulnerability from cvelistv5
Published
2021-05-17 10:22
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.509Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Redirect module\u0027s redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T10:22:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Redirect module\u0027s redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29045",
"datePublished": "2021-05-17T10:22:30",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2963
Vulnerability from cvelistv5
Published
2014-07-10 10:00
Modified
2024-08-06 10:28
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.kb.cert.org/vuls/id/100972 | third-party-advisory, x_refsource_CERT-VN | |
| https://github.com/samuelkong/liferay-portal/pull/610 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:28:46.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#100972",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/100972"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/samuelkong/liferay-portal/pull/610"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-10T06:57:00",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#100972",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/100972"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/samuelkong/liferay-portal/pull/610"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2014-2963",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#100972",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/100972"
},
{
"name": "https://github.com/samuelkong/liferay-portal/pull/610",
"refsource": "CONFIRM",
"url": "https://github.com/samuelkong/liferay-portal/pull/610"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2014-2963",
"datePublished": "2014-07-10T10:00:00",
"dateReserved": "2014-04-21T00:00:00",
"dateUpdated": "2024-08-06T10:28:46.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29048
Vulnerability from cvelistv5
Published
2021-05-17 11:08
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T11:08:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29048",
"datePublished": "2021-05-17T11:08:23",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42122
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:44.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17520"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122"
},
{
"url": "https://issues.liferay.com/browse/LPE-17520"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42122",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:44.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42129
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17448"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129"
},
{
"url": "https://issues.liferay.com/browse/LPE-17448"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42129",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26597
Vulnerability from cvelistv5
Published
2022-04-25 15:02
Modified
2024-08-03 05:11
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:42.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-25T15:02:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26597",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26597",
"datePublished": "2022-04-25T15:02:53",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:42.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-38902
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2024-08-03 11:02
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38902",
"datePublished": "2022-10-13T00:00:00",
"dateReserved": "2022-08-29T00:00:00",
"dateUpdated": "2024-08-03T11:02:14.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25609
Vulnerability from cvelistv5
Published
2024-02-20 09:37
Modified
2024-08-23 19:19
Severity ?
EPSS score ?
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:18:48.528753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:19:20.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.12",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u8",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.3.10-dxp-3"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10-dxp-15",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977."
}
],
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T09:37:55.362Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25609",
"datePublished": "2024-02-20T09:37:55.362Z",
"dateReserved": "2024-02-08T13:57:11.426Z",
"dateUpdated": "2024-08-23T19:19:20.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15840
Vulnerability from cvelistv5
Published
2020-09-24 14:56
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-17046 | x_refsource_CONFIRM | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:22.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17046"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property \u0027portlet.resource.id.banned.paths.regexp\u0027 can be bypassed with doubled encoded URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T14:56:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17046"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property \u0027portlet.resource.id.banned.paths.regexp\u0027 can be bypassed with doubled encoded URLs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"name": "https://issues.liferay.com/browse/LPE-17046",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17046"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15840",
"datePublished": "2020-09-24T14:56:23",
"dateReserved": "2020-07-20T00:00:00",
"dateUpdated": "2024-08-04T13:30:22.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26269
Vulnerability from cvelistv5
Published
2024-02-21 02:39
Modified
2024-08-02 00:07
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.37",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u37",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u10",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:16:54.489514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:43:03.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.37",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u37",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u10",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-19",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module\u0027s portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module\u0027s portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:39:41.806Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26269",
"datePublished": "2024-02-21T02:39:41.806Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-02T00:07:19.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-25146
Vulnerability from cvelistv5
Published
2022-03-02 23:28
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://www.securitum.pl | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securitum.pl"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T23:54:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securitum.pl"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://www.securitum.pl",
"refsource": "MISC",
"url": "https://www.securitum.pl"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25146",
"datePublished": "2022-03-02T23:28:42",
"dateReserved": "2022-02-14T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42497
Vulnerability from cvelistv5
Published
2023-10-17 07:56
Modified
2024-09-13 16:32
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T16:32:09.323926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T16:32:16.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u85",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.85",
"status": "affected",
"version": "7.4.3.4",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amin ACHOUR"
}
],
"datePublic": "2023-10-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.\u003cbr\u003e"
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T07:56:20.696Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42497",
"datePublished": "2023-10-17T07:56:20.696Z",
"dateReserved": "2023-09-11T08:54:24.312Z",
"dateUpdated": "2024-09-13T16:32:16.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3193
Vulnerability from cvelistv5
Published
2023-06-15 03:47
Modified
2024-10-22 15:42
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:07.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:42:06.456978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:42:25.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.73",
"status": "affected",
"version": "7.4.3.70",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u73",
"status": "affected",
"version": "7.4.13.u70",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Henrik Bayer (NDIx)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T03:47:57.663Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-3193",
"datePublished": "2023-06-15T03:47:57.663Z",
"dateReserved": "2023-06-12T01:31:14.692Z",
"dateUpdated": "2024-10-22T15:42:25.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28981
Vulnerability from cvelistv5
Published
2022-09-22 00:06
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:57.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T00:06:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28981",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28981",
"datePublished": "2022-09-22T00:06:35",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:57.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42130
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17447"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130"
},
{
"url": "https://issues.liferay.com/browse/LPE-17447"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42130",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38268
Vulnerability from cvelistv5
Published
2022-03-02 18:45
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T17:20:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38268",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38268",
"datePublished": "2022-03-02T18:45:26",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33321
Vulnerability from cvelistv5
Published
2021-08-03 18:12
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055 | x_refsource_CONFIRM | |
| https://help.liferay.com/hc/en-us/articles/360050785632 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:12:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33321",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
},
{
"name": "https://help.liferay.com/hc/en-us/articles/360050785632",
"refsource": "MISC",
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33321",
"datePublished": "2021-08-03T18:12:26",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38264
Vulnerability from cvelistv5
Published
2022-03-02 23:06
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T16:57:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38264",
"datePublished": "2022-03-02T23:06:32",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-38002
Vulnerability from cvelistv5
Published
2024-10-22 15:12
Modified
2024-10-22 15:22
Severity ?
EPSS score ?
Summary
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.111",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.2",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "2023.q4.5",
"status": "affected",
"version": "2023.q4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.q3.8",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.4"
},
{
"status": "affected",
"version": "7.3"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:21:03.278642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:22:55.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.2",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.3.111",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u36",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.8",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.5",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API."
}
],
"value": "The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:12:42.223Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-38002",
"datePublished": "2024-10-22T15:12:42.223Z",
"dateReserved": "2024-06-11T15:40:10.985Z",
"dateUpdated": "2024-10-22T15:22:55.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42628
Vulnerability from cvelistv5
Published
2023-10-17 11:52
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628 | vendor-advisory | |
| https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ | third-party-advisory, exploit |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628"
},
{
"tags": [
"third-party-advisory",
"exploit",
"x_transferred"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.0.10-*",
"status": "affected",
"version": "7.0.10-de-83",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.1.10-*",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-*",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-*",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u87",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.87",
"status": "affected",
"version": "7.1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael Oelke"
}
],
"datePublic": "2023-10-17T11:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page\u0027s \u2018Content\u2019 text field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page\u0027s \u2018Content\u2019 text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T02:32:30.141Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42628",
"datePublished": "2023-10-17T11:52:45.867Z",
"dateReserved": "2023-09-12T05:35:42.826Z",
"dateUpdated": "2024-08-02T19:23:40.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-5327
Vulnerability from cvelistv5
Published
2017-01-13 19:00
Modified
2024-08-07 04:17
Severity ?
EPSS score ?
Summary
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.liferay.com/browse/LPS-7087 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-14964 | x_refsource_CONFIRM | |
| https://dev.liferay.com/web/community-security-team/known-vulnerabilities | x_refsource_CONFIRM | |
| https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91 | x_refsource_CONFIRM | |
| https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPS-64547 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:17:10.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPS-7087"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-14964"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPS-64547"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-13T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPS-7087"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-14964"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPS-64547"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-5327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.liferay.com/browse/LPS-7087",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPS-7087"
},
{
"name": "https://issues.liferay.com/browse/LPE-14964",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-14964"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities"
},
{
"name": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91",
"refsource": "CONFIRM",
"url": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates"
},
{
"name": "https://issues.liferay.com/browse/LPS-64547",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPS-64547"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-5327",
"datePublished": "2017-01-13T19:00:00",
"dateReserved": "2016-09-08T00:00:00",
"dateUpdated": "2024-08-07T04:17:10.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33324
Vulnerability from cvelistv5
Published
2021-08-03 18:24
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17001 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site\u0027s page administration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:24:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33324",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site\u0027s page administration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063"
},
{
"name": "https://issues.liferay.com/browse/LPE-17001",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33324",
"datePublished": "2021-08-03T18:24:05",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26266
Vulnerability from cvelistv5
Published
2024-02-21 02:32
Modified
2024-08-02 00:07
Severity ?
EPSS score ?
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:43:41.174610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:55.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:18.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.13",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u9",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget."
}
],
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:32:25.050Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26266",
"datePublished": "2024-02-21T02:32:25.050Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-02T00:07:18.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42117
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42117"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42117",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33335
Vulnerability from cvelistv5
Published
2021-08-03 21:03
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17103 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17103"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T21:03:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17103"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33335",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906"
},
{
"name": "https://issues.liferay.com/browse/LPE-17103",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17103"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33335",
"datePublished": "2021-08-03T21:03:38",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29039
Vulnerability from cvelistv5
Published
2021-05-16 14:58
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-16T14:58:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29039",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29039",
"datePublished": "2021-05-16T14:58:31",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25603
Vulnerability from cvelistv5
Published
2024-02-21 02:09
Modified
2024-08-20 19:57
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.4",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:7.4.13:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-15T15:56:27.091382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T19:57:19.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.4",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module\u0027s DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module\u0027s DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:09:59.923Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25603",
"datePublished": "2024-02-21T02:09:59.923Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-20T19:57:19.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33944
Vulnerability from cvelistv5
Published
2023-05-24 15:07
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:45:15.910473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:07.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.68",
"status": "affected",
"version": "7.3.4",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10.u23",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u68",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment\u0027s `URL` text field."
}
],
"value": "Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment\u0027s `URL` text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T15:07:14.026Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33944",
"datePublished": "2023-05-24T15:07:14.026Z",
"dateReserved": "2023-05-24T02:36:00.164Z",
"dateUpdated": "2024-10-22T15:52:07.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42111
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:44.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17379"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Sharing module\u0027s user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111"
},
{
"url": "https://issues.liferay.com/browse/LPE-17379"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42111",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:44.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25147
Vulnerability from cvelistv5
Published
2024-02-21 01:16
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-14",
"status": "affected",
"version": "7.2.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:15:43.147628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:49:27.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-14",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links."
}
],
"value": "Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T01:16:21.256Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25147",
"datePublished": "2024-02-21T01:16:21.256Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-01T23:36:21.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26593
Vulnerability from cvelistv5
Published
2022-04-19 12:46
Modified
2024-08-03 05:03
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:33.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T12:46:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26593",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26593",
"datePublished": "2022-04-19T12:46:15",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:03:33.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5190
Vulnerability from cvelistv5
Published
2024-02-20 06:03
Modified
2024-08-02 07:52
Severity ?
EPSS score ?
Summary
Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T18:29:08.593069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:47.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-5190"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.101",
"status": "affected",
"version": "7.4.3.45",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13.u45",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amin ACHOUR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open redirect vulnerability in the Countries Management\u2019s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter."
}
],
"value": "Open redirect vulnerability in the Countries Management\u2019s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T06:03:45.941Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-5190"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-5190",
"datePublished": "2024-02-20T06:03:45.941Z",
"dateReserved": "2023-09-26T05:30:24.925Z",
"dateUpdated": "2024-08-02T07:52:07.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47795
Vulnerability from cvelistv5
Published
2024-02-21 14:01
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T18:14:14.835953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:59.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.101",
"status": "affected",
"version": "7.4.3.18",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13.u18",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Erwin Krazek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document\u0027s \u201cTitle\u201d text field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document\u0027s \u201cTitle\u201d text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T14:01:00.773Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-47795",
"datePublished": "2024-02-21T14:01:00.773Z",
"dateReserved": "2023-11-10T01:49:20.188Z",
"dateUpdated": "2024-08-02T21:16:43.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38269
Vulnerability from cvelistv5
Published
2022-03-02 23:25
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T15:21:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38269",
"datePublished": "2022-03-02T23:25:56",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25150
Vulnerability from cvelistv5
Published
2024-02-20 08:11
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T14:56:08.054595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:56.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Sahil Mehra"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user\u0027s full name from the page\u0027s title by enumerating user screen names."
}
],
"value": "Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user\u0027s full name from the page\u0027s title by enumerating user screen names."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T08:11:28.312Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25150",
"datePublished": "2024-02-20T08:11:28.312Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-01T23:36:21.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29043
Vulnerability from cvelistv5
Published
2021-05-17 10:48
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store\u0027s proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T10:48:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store\u0027s proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29043",
"datePublished": "2021-05-17T10:48:12",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33326
Vulnerability from cvelistv5
Published
2021-08-03 18:37
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17093 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17093"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:37:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17093"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869"
},
{
"name": "https://issues.liferay.com/browse/LPE-17093",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17093"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33326",
"datePublished": "2021-08-03T18:37:32",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42125
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17517"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125"
},
{
"url": "https://issues.liferay.com/browse/LPE-17517"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42125",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28979
Vulnerability from cvelistv5
Published
2022-09-21 23:22
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-17381 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:58.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17381"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T23:50:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17381"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
},
{
"name": "https://issues.liferay.com/browse/LPE-17381",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17381"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28979",
"datePublished": "2022-09-21T23:22:44",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:58.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-35463
Vulnerability from cvelistv5
Published
2021-08-04 13:21
Modified
2024-08-04 00:40
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:45.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-05T14:51:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35463",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35463",
"datePublished": "2021-08-04T13:21:32",
"dateReserved": "2021-06-23T00:00:00",
"dateUpdated": "2024-08-04T00:40:45.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26270
Vulnerability from cvelistv5
Published
2024-02-20 13:43
Modified
2024-08-16 19:55
Severity ?
EPSS score ?
Summary
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T19:55:04.883437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T19:55:12.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.99",
"status": "affected",
"version": "7.4.3.76",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.4",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13.u76",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user\u2019s hashed password in the page\u2019s HTML source, which allows man-in-the-middle attackers to steal a user\u0027s hashed password."
}
],
"value": "The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user\u2019s hashed password in the page\u2019s HTML source, which allows man-in-the-middle attackers to steal a user\u0027s hashed password."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T13:43:46.074Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26270",
"datePublished": "2024-02-20T13:43:46.074Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-08-16T19:55:12.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33943
Vulnerability from cvelistv5
Published
2023-05-24 14:57
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33943"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:46:56.420516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:13.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.62",
"status": "affected",
"version": "7.4.3.21",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u62",
"status": "affected",
"version": "7.4.13.u21",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user\u0027s (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user\u0027s (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T14:57:46.177Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33943"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33943",
"datePublished": "2023-05-24T14:57:46.177Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:13.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26594
Vulnerability from cvelistv5
Published
2022-04-15 15:50
Modified
2024-08-03 05:03
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:32.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field\u0027s help text to (1) Forms module\u0027s form builder, or (2) App Builder module\u0027s object form view\u0027s form builder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T15:50:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26594",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field\u0027s help text to (1) Forms module\u0027s form builder, or (2) App Builder module\u0027s object form view\u0027s form builder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26594",
"datePublished": "2022-04-15T15:50:26",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:03:32.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12645
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-16 17:33
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPS-72307"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPS-72307"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12645",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.liferay.com/browse/LPS-72307",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPS-72307"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12645",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-16T17:33:38.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29052
Vulnerability from cvelistv5
Published
2021-05-17 11:16
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T11:16:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29052",
"datePublished": "2021-05-17T11:16:27",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33950
Vulnerability from cvelistv5
Published
2023-05-24 16:10
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:43:43.861695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:22.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.76",
"status": "affected",
"version": "7.4.3.48",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u76",
"status": "affected",
"version": "7.4.13.u48",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs."
}
],
"value": "Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T16:10:10.701Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33950",
"datePublished": "2023-05-24T16:10:10.701Z",
"dateReserved": "2023-05-24T02:36:00.165Z",
"dateUpdated": "2024-10-22T15:51:22.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33947
Vulnerability from cvelistv5
Published
2023-05-24 15:34
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:44:18.454627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:45.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.60",
"status": "affected",
"version": "7.4.3.4",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u60",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition."
}
],
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T15:34:37.132Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33947",
"datePublished": "2023-05-24T15:34:37.132Z",
"dateReserved": "2023-05-24T02:36:00.165Z",
"dateUpdated": "2024-10-22T15:51:45.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33328
Vulnerability from cvelistv5
Published
2021-08-03 18:41
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17100 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17100"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:41:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17100"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33328",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972"
},
{
"name": "https://issues.liferay.com/browse/LPE-17100",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17100"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33328",
"datePublished": "2021-08-03T18:41:46",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12646
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-16 16:34
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/49833"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/49833"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brianchandotcom/liferay-portal/pull/49833",
"refsource": "CONFIRM",
"url": "https://github.com/brianchandotcom/liferay-portal/pull/49833"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12646",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-16T16:34:07.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33949
Vulnerability from cvelistv5
Published
2023-05-24 16:01
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:48:38.903885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:31.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThan": "7.3.10",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don\u0027t control. The portal property `company.security.strangers.verify` should be set to true."
}
],
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don\u0027t control. The portal property `company.security.strangers.verify` should be set to true."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T16:01:55.501Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33949",
"datePublished": "2023-05-24T16:01:55.501Z",
"dateReserved": "2023-05-24T02:36:00.165Z",
"dateUpdated": "2024-10-22T15:51:31.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44310
Vulnerability from cvelistv5
Published
2023-10-17 09:28
Modified
2024-09-13 16:31
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:51.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T16:31:02.702958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T16:31:11.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10.u23",
"status": "affected",
"version": "7.3.10.sp1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u78",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.78",
"status": "affected",
"version": "7.3.6",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-10-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page\u0027s \"Name\" text field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page\u0027s \"Name\" text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T09:28:17.244Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-44310",
"datePublished": "2023-10-17T09:28:17.244Z",
"dateReserved": "2023-09-28T11:23:54.829Z",
"dateUpdated": "2024-09-13T16:31:11.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12648
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-16 23:45
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47888"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47888"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brianchandotcom/liferay-portal/pull/47888",
"refsource": "CONFIRM",
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47888"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12648",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-16T23:45:33.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44311
Vulnerability from cvelistv5
Published
2023-10-17 09:39
Modified
2024-09-13 16:28
Severity ?
EPSS score ?
Summary
Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:51.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T16:28:36.237243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T16:28:45.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u89",
"status": "affected",
"version": "7.4.13.u41",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.89",
"status": "affected",
"version": "7.4.3.41",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-10-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941."
}
],
"value": "Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T09:39:07.508Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-44311",
"datePublished": "2023-10-17T09:39:07.508Z",
"dateReserved": "2023-09-28T11:23:54.829Z",
"dateUpdated": "2024-09-13T16:28:45.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42113
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42113"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42113",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38266
Vulnerability from cvelistv5
Published
2022-03-02 23:00
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266 | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-17191 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17191"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T14:52:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17191"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38266",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266"
},
{
"name": "https://issues.liferay.com/browse/LPE-17191",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17191"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38266",
"datePublished": "2022-03-02T23:00:44",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33330
Vulnerability from cvelistv5
Published
2021-08-03 18:50
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17127 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17127"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user\u2019s email address and current CSRF token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:50:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17127"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user\u2019s email address and current CSRF token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
},
{
"name": "https://issues.liferay.com/browse/LPE-17127",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17127"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33330",
"datePublished": "2021-08-03T18:50:43",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8349
Vulnerability from cvelistv5
Published
2014-11-24 16:00
Modified
2024-08-06 13:18
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1031255 | vdb-entry, x_refsource_SECTRACK | |
| http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2014/Nov/61 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:18:47.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1031255",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031255"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html"
},
{
"name": "20141120 CVE-2014-8349 LIFERAY Portal Stored XSS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/61"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-04-28T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1031255",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031255"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html"
},
{
"name": "20141120 CVE-2014-8349 LIFERAY Portal Stored XSS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/61"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8349",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1031255",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031255"
},
{
"name": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html"
},
{
"name": "20141120 CVE-2014-8349 LIFERAY Portal Stored XSS",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Nov/61"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8349",
"datePublished": "2014-11-24T16:00:00",
"dateReserved": "2014-10-20T00:00:00",
"dateUpdated": "2024-08-06T13:18:47.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13445
Vulnerability from cvelistv5
Published
2020-06-10 18:09
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17023 | x_refsource_MISC | |
| https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:18:18.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17023"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-22T01:12:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-17023"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13445",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411"
},
{
"name": "https://issues.liferay.com/browse/LPE-17023",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-17023"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce",
"refsource": "MISC",
"url": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13445",
"datePublished": "2020-06-10T18:09:38",
"dateReserved": "2020-05-25T00:00:00",
"dateUpdated": "2024-08-04T12:18:18.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42132
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17438"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132"
},
{
"url": "https://issues.liferay.com/browse/LPE-17438"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42132",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42115
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:44.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42115"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Object module\u0027s edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field\u0027s `Label` text field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42115"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42115",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:44.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13444
Vulnerability from cvelistv5
Published
2020-06-10 18:17
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17009 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:18:18.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17009"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-16T13:06:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17009"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396"
},
{
"name": "https://issues.liferay.com/browse/LPE-17009",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17009"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13444",
"datePublished": "2020-06-10T18:17:13",
"dateReserved": "2020-05-25T00:00:00",
"dateUpdated": "2024-08-04T12:18:18.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33990
Vulnerability from cvelistv5
Published
2023-04-16 00:00
Modified
2025-02-13 16:28
Severity ?
EPSS score ?
Summary
Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:6.2.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"status": "affected",
"version": "6.2.5"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-33990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T15:25:13.614978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T15:32:55.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:52.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fu2x2000/Liferay_exploit_Poc"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 6.2.5 allows Command=FileUpload\u0026Type=File\u0026CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T19:43:13.866Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/fu2x2000/Liferay_exploit_Poc"
},
{
"url": "http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33990",
"datePublished": "2023-04-16T00:00:00.000Z",
"dateReserved": "2021-06-07T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:28:22.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33325
Vulnerability from cvelistv5
Published
2021-08-03 18:33
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17042 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17042"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user\u0027s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user\u0027s password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:33:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17042"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user\u0027s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user\u0027s password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
},
{
"name": "https://issues.liferay.com/browse/LPE-17042",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17042"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33325",
"datePublished": "2021-08-03T18:33:34",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33320
Vulnerability from cvelistv5
Published
2021-08-03 18:09
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17007 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17007"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:09:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17007"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33320",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590"
},
{
"name": "https://issues.liferay.com/browse/LPE-17007",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17007"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33320",
"datePublished": "2021-08-03T18:09:17",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15842
Vulnerability from cvelistv5
Published
2020-07-20 01:06
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427 | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-16963 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:22.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-16963"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-20T01:06:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-16963"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15842",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427"
},
{
"name": "https://issues.liferay.com/browse/LPE-16963",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-16963"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15842",
"datePublished": "2020-07-20T01:06:54",
"dateReserved": "2020-07-20T00:00:00",
"dateUpdated": "2024-08-04T13:30:22.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28885
Vulnerability from cvelistv5
Published
2022-01-28 11:17
Modified
2024-08-04 16:41
Severity ?
EPSS score ?
Summary
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:41:00.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-17T15:57:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design flaw"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3",
"refsource": "MISC",
"url": "https://medium.com/@tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28885",
"datePublished": "2022-01-28T11:17:38",
"dateReserved": "2020-11-16T00:00:00",
"dateUpdated": "2024-08-04T16:41:00.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3742
Vulnerability from cvelistv5
Published
2010-01-07 20:00
Modified
2024-09-16 20:36
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.liferay.com/browse/LPS-6034 | x_refsource_CONFIRM | |
| http://www.kb.cert.org/vuls/id/750796 | third-party-advisory, x_refsource_CERT-VN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:38:30.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-6034"
},
{
"name": "VU#750796",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/750796"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-01-07T20:00:00Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-6034"
},
{
"name": "VU#750796",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/750796"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2009-3742",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.liferay.com/browse/LPS-6034",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-6034"
},
{
"name": "VU#750796",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/750796"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2009-3742",
"datePublished": "2010-01-07T20:00:00Z",
"dateReserved": "2009-10-22T00:00:00Z",
"dateUpdated": "2024-09-16T20:36:41.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29044
Vulnerability from cvelistv5
Published
2021-05-17 10:55
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Site module\u0027s membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T10:55:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29044",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Site module\u0027s membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29044",
"datePublished": "2021-05-17T10:55:02",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37940
Vulnerability from cvelistv5
Published
2024-12-17 21:30
Modified
2024-12-17 21:41
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T21:41:20.332148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T21:41:38.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.87",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "de-102",
"status": "affected",
"version": "7.0.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-28",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-20",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-u29",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u87",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "milCERT AT"
},
{
"lang": "en",
"type": "reporter",
"value": "Abderrahmane BOUNHIDJA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy\u0027s `Service Class` text field."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy\u0027s `Service Class` text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T21:30:39.730Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-37940",
"datePublished": "2024-12-17T21:30:39.730Z",
"dateReserved": "2023-07-11T09:17:17.552Z",
"dateUpdated": "2024-12-17T21:41:38.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33323
Vulnerability from cvelistv5
Published
2021-08-03 18:19
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17049 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17049"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:19:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17049"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33323",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107"
},
{
"name": "https://issues.liferay.com/browse/LPE-17049",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17049"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33323",
"datePublished": "2021-08-03T18:19:24",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26271
Vulnerability from cvelistv5
Published
2024-10-22 14:06
Modified
2024-10-22 20:07
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.75",
"status": "affected",
"version": "7.4.3.111",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10-u32",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13-u75",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.5",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.2",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T19:56:06.754670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T20:07:01.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.111",
"status": "affected",
"version": "7.4.3.75",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10-u32",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13-u75",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.5",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.2",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter."
}
],
"value": "Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T14:06:16.533Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26271",
"datePublished": "2024-10-22T14:06:16.533Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-10-22T20:07:01.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-1502
Vulnerability from cvelistv5
Published
2011-05-07 19:00
Modified
2024-09-16 16:27
Severity ?
EPSS score ?
Summary
Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.liferay.com/browse/LPS-14927 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2011/04/08/5 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/04/11/9 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/03/29/1 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:41.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-14927"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-05-07T19:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-14927"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-1502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.liferay.com/browse/LPS-14927",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-14927"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1502",
"datePublished": "2011-05-07T19:00:00Z",
"dateReserved": "2011-03-21T00:00:00Z",
"dateUpdated": "2024-09-16T16:27:31.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29051
Vulnerability from cvelistv5
Published
2021-05-17 11:01
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T11:01:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29051",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29051",
"datePublished": "2021-05-17T11:01:49",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26272
Vulnerability from cvelistv5
Published
2024-10-22 14:50
Modified
2024-10-22 15:17
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.107",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.2",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "2023.q4.2",
"status": "affected",
"version": "2023.q4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.4"
},
{
"lessThanOrEqual": "update35",
"status": "affected",
"version": "7.3ga",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:15:06.259842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:17:20.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.2",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.3.107",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.5",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.2",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter."
}
],
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T14:50:41.505Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26272"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26272",
"datePublished": "2024-10-22T14:50:41.505Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-10-22T15:17:20.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25149
Vulnerability from cvelistv5
Published
2024-02-20 07:00
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:46:50.710330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:34.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-14",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the \"Limit membership to members of the parent site\" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site."
}
],
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the \"Limit membership to members of the parent site\" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T07:00:19.650Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25149",
"datePublished": "2024-02-20T07:00:19.650Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-01T23:36:21.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-1571
Vulnerability from cvelistv5
Published
2011-05-07 19:00
Modified
2024-09-17 00:56
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.liferay.com/browse/LPS-14726 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2011/04/08/5 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/04/11/9 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/03/29/1 | mailing-list, x_refsource_MLIST | |
| http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:42.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-14726"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-05-07T19:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-14726"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-1571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.liferay.com/browse/LPS-14726",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-14726"
},
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"name": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1571",
"datePublished": "2011-05-07T19:00:00Z",
"dateReserved": "2011-04-05T00:00:00Z",
"dateUpdated": "2024-09-17T00:56:46.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7934
Vulnerability from cvelistv5
Published
2020-01-28 13:03
Modified
2024-08-04 09:48
Severity ?
EPSS score ?
Summary
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/ | x_refsource_MISC | |
| https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-23T17:06:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7934",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/",
"refsource": "MISC",
"url": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/"
},
{
"name": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934",
"refsource": "MISC",
"url": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934"
},
{
"name": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7934",
"datePublished": "2020-01-28T13:03:44",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-08-04T09:48:24.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42496
Vulnerability from cvelistv5
Published
2024-02-21 02:21
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:07:22.225984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:50.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:39.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.97",
"status": "affected",
"version": "7.3.3",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-33",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amin ACHOUR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter."
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:21:01.515Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42496",
"datePublished": "2024-02-21T02:21:01.515Z",
"dateReserved": "2023-09-11T08:54:24.311Z",
"dateUpdated": "2024-08-02T19:23:39.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25151
Vulnerability from cvelistv5
Published
2024-02-21 03:17
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:59:16.285131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:00.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-14",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user\u0027s name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver\u0027s mail client."
}
],
"value": "The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user\u0027s name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver\u0027s mail client."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T03:17:37.167Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25151",
"datePublished": "2024-02-21T03:17:37.167Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-01T23:36:21.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42123
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17518"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123"
},
{
"url": "https://issues.liferay.com/browse/LPE-17518"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42123",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25148
Vulnerability from cvelistv5
Published
2024-02-08 03:43
Modified
2024-10-02 15:34
Severity ?
EPSS score ?
Summary
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T17:33:36.777108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T17:33:47.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-14",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content."
}
],
"value": "In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:34:33.761Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25148",
"datePublished": "2024-02-08T03:43:14.148Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-10-02T15:34:33.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7961
Vulnerability from cvelistv5
Published
2020-03-20 18:16
Modified
2025-02-04 20:04
Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-7961",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:57:35.405600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2021-11-03",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2020-7961"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T20:04:49.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T16:09:25.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
},
{
"name": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html"
},
{
"name": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7961",
"datePublished": "2020-03-20T18:16:42.000Z",
"dateReserved": "2020-01-24T00:00:00.000Z",
"dateUpdated": "2025-02-04T20:04:49.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42112
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42112",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15841
Vulnerability from cvelistv5
Published
2020-07-20 01:06
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439 | x_refsource_MISC | |
| https://issues.liferay.com/browse/LPE-16928 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:22.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-16928"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server\u0027s password via the Test LDAP Connection feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-20T01:06:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.liferay.com/browse/LPE-16928"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server\u0027s password via the Test LDAP Connection feature."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:R",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439"
},
{
"name": "https://issues.liferay.com/browse/LPE-16928",
"refsource": "MISC",
"url": "https://issues.liferay.com/browse/LPE-16928"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15841",
"datePublished": "2020-07-20T01:06:39",
"dateReserved": "2020-07-20T00:00:00",
"dateUpdated": "2024-08-04T13:30:22.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44309
Vulnerability from cvelistv5
Published
2023-10-17 08:23
Modified
2024-09-13 16:31
Severity ?
EPSS score ?
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:51.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T16:31:32.979058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T16:31:44.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u53",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.53",
"status": "affected",
"version": "7.4.2",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-10-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset."
}
],
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T08:23:27.403Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-44309",
"datePublished": "2023-10-17T08:23:27.403Z",
"dateReserved": "2023-09-28T11:23:54.829Z",
"dateUpdated": "2024-09-13T16:31:44.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25605
Vulnerability from cvelistv5
Published
2024-02-20 08:51
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.4",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13"
},
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10 \u003c= 7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T16:21:08.731302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:14:35.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.4",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13"
},
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API."
}
],
"value": "The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T08:51:32.953Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25605",
"datePublished": "2024-02-20T08:51:32.953Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33937
Vulnerability from cvelistv5
Published
2023-05-24 12:16
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:46:27.983047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:55.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.0",
"status": "affected",
"version": "7.1.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.1.10-dxp-17",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-4",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form\u0027s `name` field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form\u0027s `name` field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T12:16:36.342Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33937",
"datePublished": "2023-05-24T12:16:36.342Z",
"dateReserved": "2023-05-24T02:36:00.162Z",
"dateUpdated": "2024-10-22T15:52:55.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42629
Vulnerability from cvelistv5
Published
2023-10-17 08:13
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 | vendor-advisory | |
| https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ | exploit, third-party-advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629"
},
{
"tags": [
"exploit",
"third-party-advisory",
"x_transferred"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u87",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.87",
"status": "affected",
"version": "7.4.2",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael Oelke"
}
],
"datePublic": "2023-10-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary\u0027s \u0027description\u0027 text field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary\u0027s \u0027description\u0027 text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T02:34:30.191Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629"
},
{
"tags": [
"exploit",
"third-party-advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42629",
"datePublished": "2023-10-17T08:13:31.830Z",
"dateReserved": "2023-09-12T05:35:42.826Z",
"dateUpdated": "2024-08-02T19:23:40.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42126
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17593"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126"
},
{
"url": "https://issues.liferay.com/browse/LPE-17593"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42126",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33337
Vulnerability from cvelistv5
Published
2021-08-04 13:15
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17101"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Document Library module\u0027s add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-04T13:15:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17101"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33337",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Document Library module\u0027s add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media"
},
{
"name": "https://issues.liferay.com/browse/LPE-17101",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17101"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33337",
"datePublished": "2021-08-04T13:15:07",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12647
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/48901"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/48901"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12647",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brianchandotcom/liferay-portal/pull/48901",
"refsource": "CONFIRM",
"url": "https://github.com/brianchandotcom/liferay-portal/pull/48901"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12647",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-16T16:24:16.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29053
Vulnerability from cvelistv5
Published
2021-05-17 10:41
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.512Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T10:41:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29053",
"datePublished": "2021-05-17T10:41:13",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42498
Vulnerability from cvelistv5
Published
2024-02-21 02:47
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42498",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-26T17:54:30.386431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:25:12.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:39.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.97",
"status": "affected",
"version": "7.4.3.8",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.4",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u92",
"status": "affected",
"version": "7.4.13.u4",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amin ACHOUR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter."
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:47:45.261Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-42498",
"datePublished": "2024-02-21T02:47:45.261Z",
"dateReserved": "2023-09-11T08:54:24.312Z",
"dateUpdated": "2024-08-02T19:23:39.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11444
Vulnerability from cvelistv5
Published
2019-04-22 04:00
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46525"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay\u0027s Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by \"def cmd =\" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-09T19:05:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46525"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay\u0027s Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by \"def cmd =\" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/46525",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46525"
},
{
"name": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html",
"refsource": "MISC",
"url": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html"
},
{
"name": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console",
"refsource": "MISC",
"url": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11444",
"datePublished": "2019-04-22T04:00:36",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-45320
Vulnerability from cvelistv5
Published
2024-02-20 00:00
Modified
2024-08-03 14:09
Severity ?
EPSS score ?
Summary
Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:24:47.287313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:58.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-45320"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T04:48:11.109325",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-45320"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45320",
"datePublished": "2024-02-20T00:00:00",
"dateReserved": "2022-11-14T00:00:00",
"dateUpdated": "2024-08-03T14:09:56.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33948
Vulnerability from cvelistv5
Published
2023-05-24 15:42
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:48:49.413660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:37.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.3.67"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13.u67"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL."
}
],
"value": "The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T15:42:39.906Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33948",
"datePublished": "2023-05-24T15:42:39.906Z",
"dateReserved": "2023-05-24T02:36:00.165Z",
"dateUpdated": "2024-10-22T15:51:37.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33332
Vulnerability from cvelistv5
Published
2021-08-03 20:58
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17053 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17053"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T20:58:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17053"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366"
},
{
"name": "https://issues.liferay.com/browse/LPE-17053",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17053"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33332",
"datePublished": "2021-08-03T20:58:01",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29046
Vulnerability from cvelistv5
Published
2021-05-17 10:27
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T10:27:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29046",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29046",
"datePublished": "2021-05-17T10:27:37",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47798
Vulnerability from cvelistv5
Published
2024-02-08 02:55
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.0",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.2.10-dxp-4",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."
}
],
"value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T02:55:43.923Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-47798",
"datePublished": "2024-02-08T02:55:43.923Z",
"dateReserved": "2023-11-10T01:49:20.188Z",
"dateUpdated": "2024-08-02T21:16:43.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-11993
Vulnerability from cvelistv5
Published
2024-12-17 20:24
Modified
2024-12-17 21:24
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T21:24:48.114546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T21:24:55.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.38",
"status": "affected",
"version": "7.1.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "dxp-28",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-20",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-u36",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u38",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Liferay"
},
{
"lang": "en",
"type": "reporter",
"value": "milCERT AT"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field\u003cbr\u003e"
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T20:24:42.600Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-11993",
"datePublished": "2024-12-17T20:24:42.600Z",
"dateReserved": "2024-11-29T11:32:54.553Z",
"dateUpdated": "2024-12-17T21:24:55.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25152
Vulnerability from cvelistv5
Published
2024-02-21 02:00
Modified
2024-08-26 16:52
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:liferay_portal:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "liferay_portal",
"vendor": "liferay",
"versions": [
{
"lessThan": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:54:47.190614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T16:52:06.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T02:00:32.694Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25152",
"datePublished": "2024-02-21T02:00:32.694Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-26T16:52:06.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8980
Vulnerability from cvelistv5
Published
2024-10-22 14:43
Modified
2024-10-22 15:08
Severity ?
EPSS score ?
Summary
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.101",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.7",
"status": "affected",
"version": "7.3.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.1.3",
"status": "affected",
"version": "7.1.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.q3.4",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "2023.q3.4",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.4"
},
{
"lessThanOrEqual": "update35",
"status": "affected",
"version": "7.3ga",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.2"
},
{
"status": "affected",
"version": "7.1"
},
{
"status": "affected",
"version": "7.0"
},
{
"status": "affected",
"version": "6.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:02:17.489238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:08:48.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.101",
"status": "affected",
"version": "7.0.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "portal-173",
"status": "affected",
"version": "6.2.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "de-102",
"status": "affected",
"version": "7.0.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-28",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "dxp-20",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.4",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173\u003cbr\u003e does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability."
}
],
"value": "The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173\n does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T14:43:04.606Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-8980",
"datePublished": "2024-10-22T14:43:04.606Z",
"dateReserved": "2024-09-18T18:04:13.531Z",
"dateUpdated": "2024-10-22T15:08:48.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42116
Vulnerability from cvelistv5
Published
2022-10-18 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42116"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Frontend Editor module\u0027s integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42116"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42116",
"datePublished": "2022-10-18T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26273
Vulnerability from cvelistv5
Published
2024-10-22 15:01
Modified
2024-10-22 15:20
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.103",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dxp",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "2023.q4.2",
"status": "affected",
"version": "2023.q4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.q3.5",
"status": "affected",
"version": "2023.q3.1",
"versionType": "maven"
},
{
"status": "affected",
"version": "7.4"
},
{
"lessThanOrEqual": "update35",
"status": "affected",
"version": "7.3update29",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:18:21.690865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:20:22.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.103",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10-u29",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.5",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.2",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter."
}
],
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:01:29.395Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-26273",
"datePublished": "2024-10-22T15:01:29.395Z",
"dateReserved": "2024-02-15T07:44:36.776Z",
"dateUpdated": "2024-10-22T15:20:22.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33939
Vulnerability from cvelistv5
Published
2023-05-24 13:41
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:45:50.988282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:40.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.12",
"status": "affected",
"version": "7.1.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.1.10-dxp-26",
"status": "affected",
"version": "7.1.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-17",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-sp3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u8",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T13:41:22.321Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33939",
"datePublished": "2023-05-24T13:41:22.321Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:40.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33942
Vulnerability from cvelistv5
Published
2023-05-24 14:49
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:47:21.518857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:20.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.3.50"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"status": "affected",
"version": "7.4.13.u50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the Web Content Display widget\u0027s article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article\u0027s `Title` field."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the Web Content Display widget\u0027s article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article\u0027s `Title` field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T03:20:20.675Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33942",
"datePublished": "2023-05-24T14:49:17.472Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:20.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29047
Vulnerability from cvelistv5
Published
2021-05-16 15:29
Modified
2024-08-03 21:55
Severity ?
EPSS score ?
Summary
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-16T15:29:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29047",
"datePublished": "2021-05-16T15:29:52",
"dateReserved": "2021-03-22T00:00:00",
"dateUpdated": "2024-08-03T21:55:12.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35030
Vulnerability from cvelistv5
Published
2023-06-15 04:06
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:17:04.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:48:29.662822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:16.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.76",
"status": "affected",
"version": "7.4.3.70",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u76",
"status": "affected",
"version": "7.4.13.u70",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Henrik Bayer (NDIx)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site request forgery (CSRF) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"value": "Cross-site request forgery (CSRF) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T04:06:36.864Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-35030",
"datePublished": "2023-06-15T04:06:36.864Z",
"dateReserved": "2023-06-12T01:29:57.068Z",
"dateUpdated": "2024-10-22T15:51:16.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3426
Vulnerability from cvelistv5
Published
2023-08-02 09:40
Modified
2024-10-11 14:09
Severity ?
EPSS score ?
Summary
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T13:02:53.152164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:09:13.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u85",
"status": "affected",
"version": "7.4.13.u81",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.85",
"status": "affected",
"version": "7.4.3.81",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "4rth4s"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations."
}
],
"value": "The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:24:59.097Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-3426",
"datePublished": "2023-08-02T09:40:28.090Z",
"dateReserved": "2023-06-27T05:43:01.235Z",
"dateUpdated": "2024-10-11T14:09:13.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47797
Vulnerability from cvelistv5
Published
2023-11-17 06:03
Modified
2024-08-29 14:15
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47797"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T14:14:17.940611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T14:15:06.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.95",
"status": "affected",
"version": "7.4.3.94",
"versionType": "maven"
}
]
}
],
"datePublic": "2023-11-17T05:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected cross-site scripting (XSS) vulnerability on a content page\u2019s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter."
}
],
"value": "Reflected cross-site scripting (XSS) vulnerability on a content page\u2019s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-17T06:03:00.299Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47797"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-47797",
"datePublished": "2023-11-17T06:03:00.299Z",
"dateReserved": "2023-11-10T01:49:20.188Z",
"dateUpdated": "2024-08-29T14:15:06.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33338
Vulnerability from cvelistv5
Published
2021-08-04 13:07
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17030 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17030"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-04T13:07:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17030"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33338",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276"
},
{
"name": "https://issues.liferay.com/browse/LPE-17030",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17030"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33338",
"datePublished": "2021-08-04T13:07:26",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33327
Vulnerability from cvelistv5
Published
2021-08-03 18:46
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17075 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if \"Role Visibility\" is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:46:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17075"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if \"Role Visibility\" is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840"
},
{
"name": "https://issues.liferay.com/browse/LPE-17075",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17075"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33327",
"datePublished": "2021-08-03T18:46:02",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28884
Vulnerability from cvelistv5
Published
2022-01-28 00:00
Modified
2024-08-04 16:41
Severity ?
EPSS score ?
Summary
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-28884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T19:12:13.680635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:33.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:41:00.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
},
{
"tags": [
"x_transferred"
],
"url": "https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
},
{
"url": "https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28884",
"datePublished": "2022-01-28T00:00:00",
"dateReserved": "2020-11-16T00:00:00",
"dateUpdated": "2024-08-04T16:41:00.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25601
Vulnerability from cvelistv5
Published
2024-02-21 01:54
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T14:15:10.305868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:48.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-16",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS) vulnerability in Expando module\u0027s geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field."
}
],
"value": "Stored cross-site scripting (XSS) vulnerability in Expando module\u0027s geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T01:54:47.283Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25601",
"datePublished": "2024-02-21T01:54:47.283Z",
"dateReserved": "2024-02-08T13:57:11.425Z",
"dateUpdated": "2024-08-01T23:44:09.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25146
Vulnerability from cvelistv5
Published
2024-02-08 03:36
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-17",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used."
}
],
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T03:36:07.512Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25146",
"datePublished": "2024-02-08T03:36:07.512Z",
"dateReserved": "2024-02-06T10:32:42.567Z",
"dateUpdated": "2024-08-01T23:36:21.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42118
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17342"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118"
},
{
"url": "https://issues.liferay.com/browse/LPE-17342"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42118",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28980
Vulnerability from cvelistv5
Published
2022-09-22 00:13
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:57.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T00:13:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28980",
"datePublished": "2022-09-22T00:13:41",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:57.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42121
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17414"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template\u0027s \u0027Name\u0027 field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121"
},
{
"url": "https://issues.liferay.com/browse/LPE-17414"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42121",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-1000425
Vulnerability from cvelistv5
Published
2018-01-02 23:00
Modified
2024-08-05 22:00
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:00:41.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the \"movie\" parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-02T21:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000425",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the \"movie\" parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4",
"refsource": "MISC",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4"
},
{
"name": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031",
"refsource": "MISC",
"url": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000425",
"datePublished": "2018-01-02T23:00:00",
"dateReserved": "2018-01-02T00:00:00",
"dateUpdated": "2024-08-05T22:00:41.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39975
Vulnerability from cvelistv5
Published
2022-09-21 23:35
Modified
2024-08-03 12:07
Severity ?
EPSS score ?
Summary
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:07:42.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a \"Content Page\" type page, allowing attackers to view unpublished \"Content Page\" pages via URL manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T23:35:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-39975",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a \"Content Page\" type page, allowing attackers to view unpublished \"Content Page\" pages via URL manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-39975",
"datePublished": "2022-09-21T23:35:57",
"dateReserved": "2022-09-06T00:00:00",
"dateUpdated": "2024-08-03T12:07:42.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25143
Vulnerability from cvelistv5
Published
2024-02-07 14:45
Modified
2024-10-02 15:29
Severity ?
EPSS score ?
Summary
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T20:07:01.114816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T20:07:09.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-dxp-2",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-12",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.6",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images."
}
],
"value": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:29:27.818Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25143",
"datePublished": "2024-02-07T14:45:04.168Z",
"dateReserved": "2024-02-06T10:32:42.566Z",
"dateUpdated": "2024-10-02T15:29:27.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42110
Vulnerability from cvelistv5
Published
2022-11-14 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-14T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110"
},
{
"url": "https://issues.liferay.com/browse/LPE-17403"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42110",
"datePublished": "2022-11-14T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25144
Vulnerability from cvelistv5
Published
2024-02-08 03:25
Modified
2024-10-02 15:31
Severity ?
EPSS score ?
Summary
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-08T20:11:12.629935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:46.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.26",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u26",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10.u5",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame."
}
],
"value": "The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T15:31:02.494Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25144",
"datePublished": "2024-02-08T03:25:31.037Z",
"dateReserved": "2024-02-06T10:32:42.566Z",
"dateUpdated": "2024-10-02T15:31:02.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17868
Vulnerability from cvelistv5
Published
2017-12-23 23:00
Modified
2024-08-05 21:06
Severity ?
EPSS score ?
Summary
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.
References
| ▼ | URL | Tags |
|---|---|---|
| https://cxsecurity.com/issue/WLB-2017120169 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:48.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2017120169"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-23T23:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2017120169"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cxsecurity.com/issue/WLB-2017120169",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2017120169"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17868",
"datePublished": "2017-12-23T23:00:00",
"dateReserved": "2017-12-23T00:00:00",
"dateUpdated": "2024-08-05T21:06:48.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35029
Vulnerability from cvelistv5
Published
2023-06-15 03:59
Modified
2024-10-22 15:41
Severity ?
EPSS score ?
Summary
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:17:04.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:41:37.684040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:41:49.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.76",
"status": "affected",
"version": "7.4.3.70",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u76",
"status": "affected",
"version": "7.4.13.u70",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Henrik Bayer (NDIx)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open redirect vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"value": "Open redirect vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T03:59:44.155Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-35029",
"datePublished": "2023-06-15T03:59:44.155Z",
"dateReserved": "2023-06-12T01:29:57.067Z",
"dateUpdated": "2024-10-22T15:41:49.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28982
Vulnerability from cvelistv5
Published
2022-09-21 23:57
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:57.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T23:57:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28982",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28982",
"datePublished": "2022-09-21T23:57:41",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:57.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28977
Vulnerability from cvelistv5
Published
2022-09-22 00:02
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:58.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-22T00:02:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28977",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28977",
"datePublished": "2022-09-22T00:02:08",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:58.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33940
Vulnerability from cvelistv5
Published
2023-05-24 13:55
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33940"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:45:34.553380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:33.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.30",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u30",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App\u0027s IFrame URL."
}
],
"value": "Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App\u0027s IFrame URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T13:55:23.431Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33940"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33940",
"datePublished": "2023-05-24T13:55:23.431Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:33.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24554
Vulnerability from cvelistv5
Published
2020-09-01 13:49
Modified
2024-08-04 15:12
Severity ?
EPSS score ?
Summary
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:09.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-01T13:49:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24554",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24554",
"datePublished": "2020-09-01T13:49:14",
"dateReserved": "2020-08-20T00:00:00",
"dateUpdated": "2024-08-04T15:12:09.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10404
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-16 20:12
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10404",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"name": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2",
"refsource": "CONFIRM",
"url": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10404",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-16T20:12:18.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25476
Vulnerability from cvelistv5
Published
2021-01-07 16:04
Modified
2024-08-04 15:33
Severity ?
EPSS score ?
Summary
Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:33:05.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-07T16:04:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25476",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646"
},
{
"name": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch",
"refsource": "MISC",
"url": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch"
},
{
"name": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch",
"refsource": "MISC",
"url": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25476",
"datePublished": "2021-01-07T16:04:39",
"dateReserved": "2020-09-14T00:00:00",
"dateUpdated": "2024-08-04T15:33:05.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33941
Vulnerability from cvelistv5
Published
2023-05-24 14:36
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33941"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:47:35.864239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:26.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.52",
"status": "affected",
"version": "7.4.3.41",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u52",
"status": "affected",
"version": "7.4.13.u41",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter."
}
],
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T14:36:07.977Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33941"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33941",
"datePublished": "2023-05-24T14:36:07.977Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:26.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25610
Vulnerability from cvelistv5
Published
2024-02-20 12:42
Modified
2024-08-28 13:37
Severity ?
EPSS score ?
Summary
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portal",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.12",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digital_experience_platform",
"vendor": "liferay",
"versions": [
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13.u8",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:32:33.811894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:37:03.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.12",
"status": "affected",
"version": "7.2.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unknown",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u8",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.3.10-dxp-3",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.2.10-dxp-18",
"status": "affected",
"version": "7.2.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry\u2019s content text field."
}
],
"value": "In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry\u2019s content text field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T12:42:46.027Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2024-25610",
"datePublished": "2024-02-20T12:42:46.027Z",
"dateReserved": "2024-02-08T13:57:11.426Z",
"dateUpdated": "2024-08-28T13:37:03.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-1570
Vulnerability from cvelistv5
Published
2011-05-07 19:00
Modified
2024-09-16 20:58
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030.
References
| ▼ | URL | Tags |
|---|---|---|
| http://openwall.com/lists/oss-security/2011/04/08/5 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/04/11/9 | mailing-list, x_refsource_MLIST | |
| http://issues.liferay.com/browse/LPS-12628 | x_refsource_CONFIRM | |
| http://issues.liferay.com/browse/LPS-13250 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2011/03/29/1 | mailing-list, x_refsource_MLIST | |
| http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:41.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-12628"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/browse/LPS-13250"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-05-07T19:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-12628"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/browse/LPS-13250"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-1570",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20110408 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"name": "[oss-security] 20110411 Re: CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"name": "http://issues.liferay.com/browse/LPS-12628",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-12628"
},
{
"name": "http://issues.liferay.com/browse/LPS-13250",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/browse/LPS-13250"
},
{
"name": "[oss-security] 20110329 CVE requests : Liferay 6.0.6",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"name": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952",
"refsource": "CONFIRM",
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1570",
"datePublished": "2011-05-07T19:00:00Z",
"dateReserved": "2011-04-05T00:00:00Z",
"dateUpdated": "2024-09-16T20:58:25.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33938
Vulnerability from cvelistv5
Published
2023-05-24 13:20
Modified
2024-10-22 15:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.714Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:46:09.421886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:52:48.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.0",
"status": "affected",
"version": "7.3.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10.u13",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site scripting (XSS) vulnerability in the App Builder module\u0027s custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object\u0027s `Name` field."
}
],
"value": "Cross-site scripting (XSS) vulnerability in the App Builder module\u0027s custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object\u0027s `Name` field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T13:20:19.626Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33938",
"datePublished": "2023-05-24T13:20:19.626Z",
"dateReserved": "2023-05-24T02:36:00.163Z",
"dateUpdated": "2024-10-22T15:52:48.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33331
Vulnerability from cvelistv5
Published
2021-08-03 20:43
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17022 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17022"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the \u0027redirect\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T20:43:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17022"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the \u0027redirect\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
},
{
"name": "https://issues.liferay.com/browse/LPE-17022",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17022"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33331",
"datePublished": "2021-08-03T20:43:55",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33333
Vulnerability from cvelistv5
Published
2021-08-03 20:47
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17032 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:41.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17032"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T20:47:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17032"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742"
},
{
"name": "https://issues.liferay.com/browse/LPE-17032",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17032"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33333",
"datePublished": "2021-08-03T20:47:50",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:41.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16891
Vulnerability from cvelistv5
Published
2019-10-04 00:00
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.liferay.com/downloads-community"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=DjMEfQW3bf0"
},
{
"tags": [
"x_transferred"
],
"url": "https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-27T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.liferay.com/downloads-community"
},
{
"url": "https://www.youtube.com/watch?v=DjMEfQW3bf0"
},
{
"url": "https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/"
},
{
"url": "https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16891",
"datePublished": "2019-10-04T00:00:00",
"dateReserved": "2019-09-25T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-3670
Vulnerability from cvelistv5
Published
2016-06-13 14:00
Modified
2024-08-06 00:03
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://labs.integrity.pt/advisories/cve-2016-3670/ | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/39880/ | exploit, x_refsource_EXPLOIT-DB | |
| http://seclists.org/fulldisclosure/2016/Jun/5 | mailing-list, x_refsource_FULLDISC | |
| https://issues.liferay.com/browse/LPS-62387 | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1036083 | vdb-entry, x_refsource_SECTRACK | |
| http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:03:34.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.integrity.pt/advisories/cve-2016-3670/"
},
{
"name": "39880",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39880/"
},
{
"name": "20160601 CVE-2016-3670 Stored Cross Site Scripting in Liferay CE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPS-62387"
},
{
"name": "1036083",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036083"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-15T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.integrity.pt/advisories/cve-2016-3670/"
},
{
"name": "39880",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39880/"
},
{
"name": "20160601 CVE-2016-3670 Stored Cross Site Scripting in Liferay CE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPS-62387"
},
{
"name": "1036083",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036083"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://labs.integrity.pt/advisories/cve-2016-3670/",
"refsource": "MISC",
"url": "https://labs.integrity.pt/advisories/cve-2016-3670/"
},
{
"name": "39880",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39880/"
},
{
"name": "20160601 CVE-2016-3670 Stored Cross Site Scripting in Liferay CE",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Jun/5"
},
{
"name": "https://issues.liferay.com/browse/LPS-62387",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPS-62387"
},
{
"name": "1036083",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036083"
},
{
"name": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3670",
"datePublished": "2016-06-13T14:00:00",
"dateReserved": "2016-03-24T00:00:00",
"dateUpdated": "2024-08-06T00:03:34.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12649
Vulnerability from cvelistv5
Published
2017-08-07 16:00
Modified
2024-09-17 02:17
Severity ?
EPSS score ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47579"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47579"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12649",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brianchandotcom/liferay-portal/pull/47579",
"refsource": "CONFIRM",
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47579"
},
{
"name": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12649",
"datePublished": "2017-08-07T16:00:00Z",
"dateReserved": "2017-08-07T00:00:00Z",
"dateUpdated": "2024-09-17T02:17:07.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42131
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42131"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module\u0027s REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42131"
},
{
"url": "https://issues.liferay.com/browse/LPE-17377"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42131",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33334
Vulnerability from cvelistv5
Published
2021-08-03 20:52
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-17039 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17039"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms \"Access in Site Administration\" permission to view all forms and form entries in a site via the forms section in site administration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T20:52:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-17039"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms \"Access in Site Administration\" permission to view all forms and form entries in a site via the forms section in site administration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332"
},
{
"name": "https://issues.liferay.com/browse/LPE-17039",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-17039"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33334",
"datePublished": "2021-08-03T20:52:00",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38265
Vulnerability from cvelistv5
Published
2022-03-02 23:03
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://liferay.com | x_refsource_MISC | |
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-20T19:50:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-38265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://liferay.com",
"refsource": "MISC",
"url": "http://liferay.com"
},
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name",
"refsource": "MISC",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-38265",
"datePublished": "2022-03-02T23:03:31",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33946
Vulnerability from cvelistv5
Published
2023-05-24 15:28
Modified
2024-10-22 15:51
Severity ?
EPSS score ?
Summary
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:44:36.680172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:51:52.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.48",
"status": "affected",
"version": "7.4.3.4",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13.u48",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page."
}
],
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T15:28:28.713Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2023-33946",
"datePublished": "2023-05-24T15:28:28.713Z",
"dateReserved": "2023-05-24T02:36:00.165Z",
"dateUpdated": "2024-10-22T15:51:52.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42124
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:03:45.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17435"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-17535"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the \u0027name\u0027 field of a layout prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124"
},
{
"url": "https://issues.liferay.com/browse/LPE-17435"
},
{
"url": "https://issues.liferay.com/browse/LPE-17535"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42124",
"datePublished": "2022-11-15T00:00:00",
"dateReserved": "2022-10-03T00:00:00",
"dateUpdated": "2024-08-03T13:03:45.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33322
Vulnerability from cvelistv5
Published
2021-08-03 18:29
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
References
| ▼ | URL | Tags |
|---|---|---|
| https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020 | x_refsource_CONFIRM | |
| https://issues.liferay.com/browse/LPE-16981 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.liferay.com/browse/LPE-16981"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user\u2019s password via the old password reset token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T18:29:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.liferay.com/browse/LPE-16981"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33322",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user\u2019s password via the old password reset token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020",
"refsource": "CONFIRM",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020"
},
{
"name": "https://issues.liferay.com/browse/LPE-16981",
"refsource": "CONFIRM",
"url": "https://issues.liferay.com/browse/LPE-16981"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33322",
"datePublished": "2021-08-03T18:29:17",
"dateReserved": "2021-05-20T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-02-20 10:15
Modified
2024-12-11 17:56
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA3FDC34-0257-4B20-85E8-2195965EDD8E",
"versionEndExcluding": "7.4.3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the \u0027REPLACEMENT CHARACTER\u0027 (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect."
},
{
"lang": "es",
"value": "HtmlUtil.escapeRedirect en Liferay Portal 7.2.0 a 7.4.3.18 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 19, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 19 y versiones anteriores no compatibles se pueden eludir utilizando el \u0027REPLACEMENT CHARACTER\u0027 (U+FFFD), que permite a atacantes remotos redirigir a los usuarios a URL externas arbitrarias a trav\u00e9s del (1) par\u00e1metro \u0027redirect` (2) par\u00e1metro `FORWARD_URL`, (3) par\u00e1metro `noSuchEntryRedirect` y (4) otros par\u00e1metros que dependen de HtmlUtil.escapeRedirect."
}
],
"id": "CVE-2024-25608",
"lastModified": "2024-12-11T17:56:22.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T10:15:08.530",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-07 19:55
Modified
2024-11-21 01:26
Severity ?
Summary
The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | liferay_portal | * | |
| liferay | liferay_portal | * | |
| linux | linux_kernel | - | |
| microsoft | windows_7 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "8AEE2383-4164-4729-8A51-EC4F5C4CB086",
"versionEndIncluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "1D5343EC-9611-43F3-8A4F-57450BE47951",
"versionEndIncluding": "5.2.3",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "36D6FB97-DA02-4BE8-9546-2676F79BD9BA",
"versionEndIncluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E33796DB-4523-4F04-B564-ADF030553D51",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL."
},
{
"lang": "es",
"value": "XSL Content portlet en Liferay Portal Community Edition (CE) v5.x y v6.x anterior a 6.0.6 GA, cuando Apache Tomcat o Oracle GlassFish es usado, permite a usuarios remotos autenticados leer ficheros (1) XSL y (2) XML mediante la URL file:///"
}
],
"id": "CVE-2011-1503",
"lastModified": "2024-11-21T01:26:27.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-07T19:55:00.997",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-13762"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-13762"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-08 04:15
Modified
2024-11-21 09:00
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "20F078A3-A3EE-4CCA-816D-3C053E7D7FE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "C33EBD80-91DD-401C-9337-171C07B5D489",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F247D45A-D3E4-4EDD-A18D-147FFBEF0935",
"versionEndIncluding": "7.4.1",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used."
},
{
"lang": "es",
"value": "Liferay Portal 7.2.0 a 7.4.1 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al service pack 3, 7.2 anterior al fix pack 18 y versiones anteriores no compatibles devuelven respuestas diferentes dependiendo de si un sitio no existe o si el usuario no tiene permiso para acceder al sitio, lo que permite a atacantes remotos descubrir la existencia de sitios enumerando las URL. Esta vulnerabilidad ocurre si locale.prepend.friendly.url.style=2 y si se utiliza una p\u00e1gina 404 personalizada."
}
],
"id": "CVE-2024-25146",
"lastModified": "2024-11-21T09:00:20.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T04:15:08.040",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-204"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 12:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2C673509-5436-44DF-AFCE-BE5C3188D62F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2B842A08-1EDB-4232-89C9-9B966E251B3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la p\u00e1gina de administraci\u00f3n page del m\u00f3dulo Layout en Liferay Portal versiones 7.3.4, 7.3.5 y Liferay DXP versiones 7.2 anteriores a fixpack 11 y versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name"
}
],
"id": "CVE-2021-29048",
"lastModified": "2024-11-21T06:00:35.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T12:15:07.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 10:15
Modified
2024-12-11 18:01
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E43CC402-96D6-414B-9636-42D7EA642FD6",
"versionEndIncluding": "7.4.3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes."
},
{
"lang": "es",
"value": "El algoritmo de hash de contrase\u00f1a predeterminado (PBKDF2-HMAC-SHA1) en Liferay Portal 7.2.0 a 7.4.3.15 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 16, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 17 y anteriores no compatibles Las versiones tienen por defecto un factor de trabajo bajo, lo que permite a los atacantes descifrar r\u00e1pidamente hashes de contrase\u00f1as."
}
],
"id": "CVE-2024-25607",
"lastModified": "2024-12-11T18:01:46.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T10:15:08.333",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-916"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-916"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-17 22:15
Modified
2025-01-28 21:18
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB292A92-C12B-486D-B4EE-421BFFD636AF",
"versionEndExcluding": "7.4.3.88",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F20477F-7F50-40D8-8DB2-251B4BC74207",
"versionEndExcluding": "7.3",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy\u0027s `Service Class` text field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) en Service Access Policy page en Liferay Portal 7.0.0 a 7.4.3.87, y Liferay DXP 7.4 GA a la actualizaci\u00f3n 87, 7.3 GA a la actualizaci\u00f3n 29 y versiones anteriores no compatibles permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un payload manipulado inyectado en el campo de texto \"Clase de servicio\" de una pol\u00edtica de acceso al servicio."
}
],
"id": "CVE-2023-37940",
"lastModified": "2025-01-28T21:18:48.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-17T22:15:05.080",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-10 19:15
Modified
2024-11-21 05:01
Severity ?
Summary
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1.1 | |
| liferay | liferay_portal | 7.2 | |
| liferay | liferay_portal | 7.3 | |
| liferay | liferay_portal | 7.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga1:*:*:community:*:*:*",
"matchCriteriaId": "AB4DACB5-6018-484E-B4D4-83A6070EB11E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "5309DDFD-9B58-437A-9ADF-D0A3F7B5328F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga3:*:*:community:*:*:*",
"matchCriteriaId": "323159D4-B013-4F7F-951B-A9EEA14B67FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "040B88A2-3AB5-48F4-AEDD-A4579A172C36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
"matchCriteriaId": "EE4E1281-8507-42CB-9330-7D4B23247164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3CBB1548-87A9-433E-A9B1-E83ACD627DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3:ga2:*:*:community:*:*:*",
"matchCriteriaId": "BD811C1C-7736-4AED-A637-9A5DEF2E895B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers."
},
{
"lang": "es",
"value": "Liferay Portal versiones 7.x anteriores a 7.3.2 y Liferay DXP versiones 7.0 anteriores a fixpack 92, versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 5, no sanean la informaci\u00f3n devuelta por la API DDMDataProvider, que permite a los usuarios autenticados remotos obtener la contrase\u00f1a en REST Data Providers"
}
],
"id": "CVE-2020-13444",
"lastModified": "2024-11-21T05:01:16.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-10T19:15:09.883",
"references": [
{
"source": "cve@mitre.org",
"url": "https://issues.liferay.com/browse/LPE-17009"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.liferay.com/browse/LPE-17009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 14:15
Modified
2025-01-28 21:37
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB1BD676-9B8D-44B0-9EAA-777EC43859DB",
"versionEndIncluding": "7.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5E4603-8FA6-4041-8C76-46374C479191",
"versionEndExcluding": "7.4.3.27",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "6A773FC6-429D-483D-9736-25323B55A71F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "B6AAAAF1-994E-409D-8FC7-DE2A2CF60AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request\u0027s response time."
},
{
"lang": "es",
"value": "Vulnerabilidad de enumeraci\u00f3n de usuarios en Liferay Portal 7.2.0 a 7.4.3.26 y versiones anteriores no soportadas, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 27, 7.3 antes de la actualizaci\u00f3n 8, 7.2 antes del fixpack 20 y versiones anteriores no soportadas permite a atacantes remotos determinar si una cuenta existen en la aplicaci\u00f3n comparando el tiempo de respuesta de la solicitud."
}
],
"id": "CVE-2024-26268",
"lastModified": "2025-01-28T21:37:57.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T14:15:09.350",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E68913A-1A6F-4AFC-AFAD-A9372AFE6281",
"versionEndExcluding": "7.4.3.37",
"versionStartIncluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Object module\u0027s edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field\u0027s `Label` text field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la p\u00e1gina de edici\u00f3n de detalles de objetos del m\u00f3dulo Object en Liferay Portal 7.4.3.4 hasta 7.4.3.36, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada inyectada en el campo de texto \"Label\" del campo de objetos"
}
],
"id": "CVE-2022-42115",
"lastModified": "2024-11-21T07:24:23.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42115"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 13:15
Modified
2024-12-11 17:53
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2855EC-0F83-4119-95BB-709C414D7E05",
"versionEndExcluding": "7.4.3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry\u2019s content text field."
},
{
"lang": "es",
"value": "En Liferay Portal 7.2.0 a 7.4.3.12 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 9, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 19 y versiones anteriores no compatibles, la configuraci\u00f3n predeterminada no sanitiza las entradas del blog de JavaScript , que permite a usuarios remotos autenticados inyectar script web o HTML (XSS) arbitrarios mediante un payload manipulado que se inyecto en el campo de texto de contenido de una entrada de blog."
}
],
"id": "CVE-2024-25610",
"lastModified": "2024-12-11T17:53:18.093",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T13:15:08.493",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17632 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17632 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A81CC5D-37E3-410F-9FD6-7DC84AB286CC",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_6:*:*:*:*:*:*",
"matchCriteriaId": "A7A399C4-6D4B-438C-9BAE-2893E457028A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_7:*:*:*:*:*:*",
"matchCriteriaId": "0CBACD88-B4F8-4496-9706-C666768AC9B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8."
},
{
"lang": "es",
"value": "Ciertos productos de Liferay son vulnerables a Cross Site Scripting (XSS) a trav\u00e9s del m\u00f3dulo Commerce. Esto afecta a Liferay Portal 7.3.5 hasta 7.4.2 y Liferay DXP 7.3 antes de la actualizaci\u00f3n 8."
}
],
"id": "CVE-2022-42119",
"lastModified": "2024-11-21T07:24:23.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:12.587",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17632"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17632"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D5371D-B65B-4EBC-A6D5-823AD1EB3EE5",
"versionEndExcluding": "7.4.3.36",
"versionStartIncluding": "7.4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module."
},
{
"lang": "es",
"value": "Vulnerabilidad de deslizamiento de zip en FileUtil.unzip en Liferay Portal 7.4.3.5 hasta 7.4.3.35 y Liferay DXP 7.4 actualizaci\u00f3n 1 hasta la actualizaci\u00f3n 34 permite a los atacantes crear o sobrescribir archivos existentes en el sistema de archivos mediante la implementaci\u00f3n de un complemento/m\u00f3dulo malicioso."
}
],
"id": "CVE-2022-42125",
"lastModified": "2024-11-21T07:24:24.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17517"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17517"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42125"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 16:15
Modified
2024-11-21 08:06
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3876F538-0E3F-4375-A52B-191D72FABCF2",
"versionEndIncluding": "7.4.3.68",
"versionStartIncluding": "7.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment\u0027s `URL` text field."
}
],
"id": "CVE-2023-33944",
"lastModified": "2024-11-21T08:06:15.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T16:15:09.693",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-09 21:15
Modified
2024-11-21 04:30
Severity ?
Summary
Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 | |
| liferay | liferay_portal | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73595C28-A21B-4C48-A326-33B0159B37A1",
"versionEndExcluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "88F1EED2-D198-4C40-9807-731796074FCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "EB4A5FD6-845A-4C41-B98E-C74468DA438F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "86834E33-4C24-4AD0-9C9E-E3C49C0B7578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "07B30D08-AB09-401D-8409-A6EFF0E1B494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:ga1:*:*:*:*:*:*",
"matchCriteriaId": "EA3A09FF-63B3-4EFA-A905-F46F767F7E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "FA711ED3-549B-45A3-9368-BE0B4AB7747D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "A93620D5-5283-4A89-B90D-F956BC6FD574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F32A70F1-BDFC-4B2C-9963-4CF5B263FFC5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib."
},
{
"lang": "es",
"value": "Liferay Portal versiones hasta 7.2.0 GA1, permite un ataque de tipo XSS por medio de un t\u00edtulo de art\u00edculo de revista en el archivo journal_article/page.jsp en journal/journal-taglib."
}
],
"id": "CVE-2019-16147",
"lastModified": "2024-11-21T04:30:08.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-09T21:15:11.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17075 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17075 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1DA4ECD-E16A-4CD9-BB4B-FF80E3641D67",
"versionEndExcluding": "7.3.4",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if \"Role Visibility\" is enabled."
},
{
"lang": "es",
"value": "El m\u00f3dulo Portlet Configuration de Liferay Portal versiones 7.2.0 hasta 7.3.3, y Liferay DXP versiones 7.0 fix pack 93 y 94, versiones 7.1 fix pack 18, y versiones 7.2 anteriores a fix pack 8, no comprueba apropiadamente los permisos de usuarios, que permite a usuarios autenticado remoto visualizar el rol de invitado y de usuario incluso si la \"Role Visibility\" est\u00e1 habilitada"
}
],
"id": "CVE-2021-33327",
"lastModified": "2024-11-21T06:08:41.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17075"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 09:15
Modified
2024-11-21 08:22
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2AD42484-BDB9-4ECE-B003-259B35FB0DE6",
"versionEndExcluding": "7.4.3.88",
"versionStartIncluding": "7.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary\u0027s \u0027description\u0027 text field."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la p\u00e1gina de gesti\u00f3n de vocabulario en Liferay Portal v7.4.2 hasta v7.4.3.87, y Liferay DXP v7.4 anterior a la actualizaci\u00f3n 88 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s de un payload manipulado inyectado en un vocabulario campo de texto \u0027description\u0027."
}
],
"id": "CVE-2023-42629",
"lastModified": "2024-11-21T08:22:50.527",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T09:15:10.167",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629"
},
{
"source": "security@liferay.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17127 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17127 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46F556AC-F439-4A82-8A5C-DAE70647A2A4",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user\u2019s email address and current CSRF token."
},
{
"lang": "es",
"value": "Liferay Portal versiones 7.2.0 hasta 7.3.2, y Liferay DXP versiones 7.2 anteriores a fix pack 9, permite el acceso a recursos protegidos por Cross-origin resource sharing (CORS) si el usuario s\u00f3lo es autenticado usando la autenticaci\u00f3n de sesi\u00f3n del portal, lo que permite a atacantes remotos obtener informaci\u00f3n confidencial, incluyendo la direcci\u00f3n de correo electr\u00f3nico del usuario objetivo y el token de tipo CSRF actual"
}
],
"id": "CVE-2021-33330",
"lastModified": "2024-11-21T06:08:42.287",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17127"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17127"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 02:15
Modified
2024-11-21 07:24
Severity ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "C18AE68F-6EF0-4132-A3D8-C2D77A842137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "4C5F0729-7B44-4B9E-949F-6A66D8176E11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "B883C27E-3C14-4686-A0E8-8969B4246CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F52D52E3-9D1D-4CF7-84B8-6EFEF2F05434",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries."
},
{
"lang": "es",
"value": "El m\u00f3dulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualizaci\u00f3n 4 y 7.4 GA no comprueba correctamente el permiso de las entradas del formulario, lo que permite usuarios remotos autenticados para ver y acceder a todas las entradas del formulario."
}
],
"id": "CVE-2022-42130",
"lastModified": "2024-11-21T07:24:25.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T02:15:11.873",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17447"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-04 14:15
Modified
2024-11-21 06:12
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Frontend Taglib de Liferay Portal versi\u00f3n 7.4.0, permite a atacantes remotos inyectar script web o HTML arbitrarios en la b\u00fasqueda de la barra de herramientas de administraci\u00f3n por medio del par\u00e1metro \"keywords\""
}
],
"id": "CVE-2021-35463",
"lastModified": "2024-11-21T06:12:19.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-04T14:15:08.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120850663"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-28 12:15
Modified
2024-11-21 05:23
Severity ?
Summary
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.2 | |
| liferay | liferay_portal | 7.3.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
"matchCriteriaId": "EE4E1281-8507-42CB-9330-7D4B23247164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "C954CFAB-373F-4E6F-9DDD-DDACC0ED3353",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw."
},
{
"lang": "es",
"value": "** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, est\u00e1 afectado por la Inyecci\u00f3n de Comandos del Sistema Operativo. Un usuario administrador puede inyectar un script Groovy para ejecutar cualquier comando del Sistema Operativo en Liferay Portal Sever. NOTA: El desarrollador discute que esto sea una vulnerabilidad ya que es una caracter\u00edstica para que los administradores ejecuten scripts groovy y por lo tanto no es un defecto de dise\u00f1o"
}
],
"id": "CVE-2020-28884",
"lastModified": "2024-11-21T05:23:14.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-28T12:15:07.913",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html"
},
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 11:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | 7.3.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2B842A08-1EDB-4232-89C9-9B966E251B3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el campo de entrada del selector de categor\u00eda del m\u00f3dulo Asset en Liferay Portal versi\u00f3n 7.3.5 y Liferay DXP versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title"
}
],
"id": "CVE-2021-29046",
"lastModified": "2024-11-21T06:00:35.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T11:15:07.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-04 14:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17030 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17030 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3196CFB1-2DEB-4546-A8DE-75F9DF500000",
"versionEndIncluding": "7.3.2",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter."
},
{
"lang": "es",
"value": "El m\u00f3dulo Layout en Liferay Portal versiones 7.1.0 hasta 7.3.2, y Liferay DXP versiones 7.1 anteriores a fix pack 19, y versiones 7.2 anteriores a fix pack 6, expone el token CSRF en las URLs, lo que permite a atacantes de tipo man-in-the-middle obtener el token y llevar a cabo ataques de tipo Cross-Site Request Forgery (CSRF) por medio del par\u00e1metro p_auth"
}
],
"id": "CVE-2021-33338",
"lastModified": "2024-11-21T06:08:43.580",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-04T14:15:08.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17030"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-06-13 14:59
Modified
2024-11-21 02:50
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga6:*:*:community_edition:*:*:*",
"matchCriteriaId": "ABC83FA6-F7FB-440D-B660-2536A8183E93",
"versionEndIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en users.jsp en la funcionalidad Profile Search functionality en Liferay en versiones anteriores a 7.0.0 CE RC1 permite a atacantes remotos inyectar comandos web o HTML arbitrarios a trav\u00e9s del campo FirstName."
}
],
"id": "CVE-2016-3670",
"lastModified": "2024-11-21T02:50:28.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-06-13T14:59:03.963",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/5"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1036083"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPS-62387"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://labs.integrity.pt/advisories/cve-2016-3670/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/39880/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2016/Jun/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1036083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPS-62387"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://labs.integrity.pt/advisories/cve-2016-3670/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/39880/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 16:15
Modified
2024-11-21 08:06
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DFF5AC-510D-4930-A6C8-214A1320AA5C",
"versionEndIncluding": "7.4.3.17",
"versionStartIncluding": "7.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table\u0027s primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded."
}
],
"id": "CVE-2023-33945",
"lastModified": "2024-11-21T08:06:15.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T16:15:09.760",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-08 04:15
Modified
2024-11-21 09:00
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F247D45A-D3E4-4EDD-A18D-147FFBEF0935",
"versionEndIncluding": "7.4.1",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content."
},
{
"lang": "es",
"value": "En Liferay Portal 7.2.0 a 7.4.1 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al service pack 3, 7.2 anterior al fix pack 15 y versiones anteriores no compatibles, el par\u00e1metro URL `doAsUserId` puede filtrarse al crear contenido vinculado mediante el editor WYSIWYG y mientras se hace pasar por un usuario. Esto puede permitir que los usuarios autenticados remotamente se hagan pasar por un usuario despu\u00e9s de acceder al contenido vinculado."
}
],
"id": "CVE-2024-25148",
"lastModified": "2024-11-21T09:00:21.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T04:15:08.240",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-22 15:15
Modified
2024-12-10 21:06
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD",
"versionEndExcluding": "2023.q3.9",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F",
"versionEndExcluding": "2023.q4.6",
"versionStartIncluding": "2023.q4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update36:*:*:*:*:*:*",
"matchCriteriaId": "E7FBF515-C800-41F3-9A0E-E850BE09FA93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2C2272-3E19-4836-BCA5-660208D5985D",
"versionEndIncluding": "7.3.7",
"versionStartIncluding": "7.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D6470C7-9D36-43F3-86CB-B79ED9EA53F4",
"versionEndExcluding": "7.4.3.112",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API."
},
{
"lang": "es",
"value": " El componente workflow en Liferay Portal 7.3.2 a 7.4.3.111, y Liferay DXP 2023.Q4.0 a 2023.Q4.5, 2023.Q3.1 a 2023.Q3.8, 7.4 GA a la actualizaci\u00f3n 92 y 7.3 GA a la actualizaci\u00f3n 36 no verifica correctamente los permisos de usuario antes de actualizar una definici\u00f3n de workflow, lo que permite a los usuarios autenticados remotos modificar las definiciones de workflow y ejecutar c\u00f3digo arbitrario (RCE) a trav\u00e9s de la API sin interfaz gr\u00e1fica."
}
],
"id": "CVE-2024-38002",
"lastModified": "2024-12-10T21:06:57.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T15:15:06.277",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-24 16:59
Modified
2024-11-21 02:18
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:sp8:*:*:enterprise:*:*:*",
"matchCriteriaId": "DC5E2BCD-1DBB-4C5F-85CA-AEBA418AD77F",
"versionEndIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Liferay Portal Enterprise Edition (EE) 6.2 SP8 y anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro _20_body en el campo de comentario en un fichero subido."
}
],
"id": "CVE-2014-8349",
"lastModified": "2024-11-21T02:18:54.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-11-24T16:59:03.290",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Nov/61"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031255"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Nov/61"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031255"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17042 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17042 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94896449-7A52-40D2-8E76-26DC60D7BA9A",
"versionEndExcluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user\u0027s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user\u0027s password."
},
{
"lang": "es",
"value": "El m\u00f3dulo Portal Workflow en Liferay Portal versiones 7.3.2 y anteriores, y Liferay DXP versiones 7.0 anterior a fix pack 93, versiones 7.1 anterior a fix pack 19 y versiones 7.2 anterior a fix pack 7, unas contrase\u00f1as de texto sin cifrar de usuarios son almacenadas en la base de datos si el flujo de trabajo est\u00e1 habilitado para la creaci\u00f3n de usuarios, que permite a atacantes con acceso a la base de datos obtener la contrase\u00f1a de un usuario"
}
],
"id": "CVE-2021-33325",
"lastModified": "2024-11-21T06:08:41.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.720",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17042"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17042"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 02:15
Modified
2024-11-21 07:24
Severity ?
Summary
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "C18AE68F-6EF0-4132-A3D8-C2D77A842137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "4C5F0729-7B44-4B9E-949F-6A66D8176E11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "B883C27E-3C14-4686-A0E8-8969B4246CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71B2CB88-0B25-4CFC-A223-B740E2847FD3",
"versionEndExcluding": "7.4.3.4",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module\u0027s REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3."
},
{
"lang": "es",
"value": "Ciertos productos de Liferay se ven afectados por: Falta de Validaci\u00f3n de Certificado SSL en los proveedores de datos REST del m\u00f3dulo Dynamic Data Mapping. Esto afecta a Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3."
}
],
"id": "CVE-2022-42131",
"lastModified": "2024-11-21T07:24:25.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T02:15:12.087",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17377"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42131"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42131"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-15 04:15
Modified
2024-11-21 08:16
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_70:*:*:*:*:*:*",
"matchCriteriaId": "3A210A40-99B5-40D6-BBB8-E0E30FADED2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_71:*:*:*:*:*:*",
"matchCriteriaId": "9ED1C984-729C-4994-B041-12AD82ABB7FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_72:*:*:*:*:*:*",
"matchCriteriaId": "998F01FB-913B-4224-8413-D62ACCF570E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_73:*:*:*:*:*:*",
"matchCriteriaId": "F18E6353-E96E-4FD6-8CEE-28A30C70AC82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26978230-332C-41AA-9F5D-CFF598640EEC",
"versionEndExcluding": "7.4.3.74",
"versionStartIncluding": "7.4.3.70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"id": "CVE-2023-3193",
"lastModified": "2024-11-21T08:16:39.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-15T04:15:34.727",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3193"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-20 02:15
Modified
2024-11-21 05:06
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-16963 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-16963 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B61E29C-3071-41EF-9774-185F91282DEB",
"versionEndExcluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization."
},
{
"lang": "es",
"value": "Liferay Portal versiones anteriores a 7.3.0, y Liferay DXP versi\u00f3n 7.0 anterior al papuete 90, versi\u00f3n 7.1 anterior al paquete de correcci\u00f3n 17, y versi\u00f3n 7.2 anterior al paquete de correcci\u00f3n 5, permite a los atacantes man-in-the-middle ejecutar c\u00f3digo arbitrario a trav\u00e9s de cargas \u00fatiles seriadas, debido a la deserializaci\u00f3n insegura"
}
],
"id": "CVE-2020-15842",
"lastModified": "2024-11-21T05:06:18.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-20T02:15:11.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16963"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317427"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 16:15
Modified
2024-11-21 08:06
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC519823-5316-4E91-B6D2-32E26A6D18FA",
"versionEndIncluding": "7.4.3.60",
"versionStartIncluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition."
}
],
"id": "CVE-2023-33947",
"lastModified": "2024-11-21T08:06:16.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T16:15:09.927",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 14:15
Modified
2024-11-21 08:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "C18AE68F-6EF0-4132-A3D8-C2D77A842137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "4C5F0729-7B44-4B9E-949F-6A66D8176E11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "B883C27E-3C14-4686-A0E8-8969B4246CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94AA76F2-5073-4F3D-9C90-0D44689F873A",
"versionEndIncluding": "7.4.3.12",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label."
}
],
"id": "CVE-2023-33939",
"lastModified": "2024-11-21T08:06:14.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T14:15:09.623",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17513 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17513 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "ADB5F13C-EE1E-4448-8FCF-5966F6874440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0A4BD58-ACF2-416E-A1B1-447DDD001B54",
"versionEndIncluding": "7.4.3.16",
"versionStartIncluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences\u0027 `namespace` attribute."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo Fragment en Liferay Portal 7.3.3 a 7.4.3.16, y Liferay DXP 7.3 antes de la actualizaci\u00f3n 4, y 7.4 antes de la actualizaci\u00f3n 17 permite a los atacantes ejecutar comandos SQL arbitrarios a trav\u00e9s del atributo `namespace` de PortletPreferences."
}
],
"id": "CVE-2022-42120",
"lastModified": "2024-11-21T07:24:24.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:12.733",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17513"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-16 16:15
Modified
2024-11-21 06:00
Severity ?
Summary
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | 7.3.4 | |
| liferay | liferay_portal | 7.3.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0B6536-11D4-48A1-8EC8-FCDFFFD07540",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2C673509-5436-44DF-AFCE-BE5C3188D62F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2B842A08-1EDB-4232-89C9-9B966E251B3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de SimpleCaptcha en Liferay Portal versiones 7.3.4, 7.3.5 y Liferay DXP versiones 7.3 anteriores al fixpack 1, no invalida las respuestas CAPTCHA despu\u00e9s de su uso, lo que permite a atacantes remotos llevar a cabo repetidamente acciones protegidas por un desaf\u00edo CAPTCHA reutilizando la misma respuesta CAPTCHA"
}
],
"id": "CVE-2021-29047",
"lastModified": "2024-11-21T06:00:35.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-16T16:15:07.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 21:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17053 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17053 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2635CDB-89E9-4B43-AE62-4D91ACF42299",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Portlet Configuration en Liferay Portal versiones 7.1.0 hasta 7.3.2, y Liferay DXP versiones 7.1 anteriores a fix pack 19, y versiones 7.2 anteriores a fix pack 7, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource"
}
],
"id": "CVE-2021-33332",
"lastModified": "2024-11-21T06:08:42.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T21:15:08.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17053"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3E59C58-7196-4CA6-A0A1-4DFB5E666C67",
"versionEndIncluding": "7.3.6",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command."
},
{
"lang": "es",
"value": "Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo Gogo Shell en Liferay Portal 7.1.0 hasta 7.3.6 y 7.4.0, y Liferay DXP 7.1 antes del paquete de correcciones 23, 7.2 antes del paquete de correcciones 13 y 7.3 antes del paquete de correcciones 2 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a trav\u00e9s de la salida de un comando Gogo Shell"
}
],
"id": "CVE-2021-38269",
"lastModified": "2024-11-21T06:16:43.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:08.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 15:15
Modified
2024-11-21 08:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AABBE89E-33BB-462C-B1CE-17A7E578B304",
"versionEndIncluding": "7.4.3.62",
"versionStartIncluding": "7.4.3.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user\u0027s (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field."
}
],
"id": "CVE-2023-33943",
"lastModified": "2024-11-21T08:06:15.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T15:15:09.897",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33943"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 14:15
Modified
2025-01-28 21:25
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DB383E5-7A0E-46A2-AB91-E4536889A6DB",
"versionEndExcluding": "7.4.3.100",
"versionStartIncluding": "7.4.3.76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7B3A5E2-23CE-45A8-BD01-77024EB9F9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user\u2019s hashed password in the page\u2019s HTML source, which allows man-in-the-middle attackers to steal a user\u0027s hashed password."
},
{
"lang": "es",
"value": "La p\u00e1gina Configuraci\u00f3n de Cuenta en Liferay Portal 7.4.3.76 a 7.4.3.99, y Liferay DXP 2023.Q3 antes del parche 5, y 7.4 actualizaci\u00f3n 76 a 92 incorpora la contrase\u00f1a hash del usuario en el c\u00f3digo fuente HTML de la p\u00e1gina, lo que permite al hombre en el atacantes intermedios para robar la contrase\u00f1a hash de un usuario."
}
],
"id": "CVE-2024-26270",
"lastModified": "2025-01-28T21:25:41.420",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T14:15:09.530",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 01:15
Modified
2024-11-21 07:16
Severity ?
Summary
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*",
"matchCriteriaId": "355DD7FC-E9C7-43D6-8313-0474AB314F18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*",
"matchCriteriaId": "B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*",
"matchCriteriaId": "683D063A-0E32-4E2D-8CBF-A57F45071F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*",
"matchCriteriaId": "7DFEBCAB-1D9B-4BED-A2C6-11BA863F1EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_29:*:*:*:*:*:*",
"matchCriteriaId": "DB8733C4-8CE4-4E4B-A2AE-919AA69DAF8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_30:*:*:*:*:*:*",
"matchCriteriaId": "D372D9B9-5A83-4FF8-8DE5-617D99D1A8B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_31:*:*:*:*:*:*",
"matchCriteriaId": "7519ABB1-57A7-46F1-97FC-DD44787F2B6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_32:*:*:*:*:*:*",
"matchCriteriaId": "87BD916B-245C-4D62-B595-1985784C2ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_33:*:*:*:*:*:*",
"matchCriteriaId": "841E15A8-0819-4E48-B7E3-3ACCB4C1F43B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_34:*:*:*:*:*:*",
"matchCriteriaId": "91A243D9-7633-4836-B72D-75EF6C0F8876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_35:*:*:*:*:*:*",
"matchCriteriaId": "6E2B1876-78B1-407A-9392-94FFF33AC803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_36:*:*:*:*:*:*",
"matchCriteriaId": "4C6BBDC0-9D68-4653-9177-E49B847B04ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8A78EE0-809C-4D58-9778-296ACB01C1EF",
"versionEndIncluding": "7.4.3.36",
"versionStartIncluding": "7.4.3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page\u0027s XLIFF translation file via crafted URL."
},
{
"lang": "es",
"value": "El m\u00f3dulo de traducci\u00f3n de Liferay Portal versiones v7.4.3.12 hasta v7.4.3.36, y Liferay DXP versiones 7.4 update 8 hasta 36, no comprueba los permisos antes de permitir a un usuario exportar un contenido web para su traducci\u00f3n, permitiendo a atacantes descargar el archivo de traducci\u00f3n XLIFF de una p\u00e1gina de contenido web por medio de una URL dise\u00f1ada"
}
],
"id": "CVE-2022-38512",
"lastModified": "2024-11-21T07:16:36.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T01:15:11.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 21:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17032 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17032 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94896449-7A52-40D2-8E76-26DC60D7BA9A",
"versionEndExcluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs."
},
{
"lang": "es",
"value": "El m\u00f3dulo Portal Workflow en Liferay Portal versiones 7.3.2 y anteriores, y Liferay DXP versiones 7.0 anteriores a fix pack 93, versiones 7.1 anteriores a fix pack 19 y versiones 7.2 anteriores a fix pack 6, no comprueba apropiadamente los permisos de usuario, que permite a usuarios autenticados remotos visualizar y eliminar env\u00edos de flujos de trabajo por medio de URLs dise\u00f1adas"
}
],
"id": "CVE-2021-33333",
"lastModified": "2024-11-21T06:08:42.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T21:15:08.573",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17032"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17032"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-24 15:15
Modified
2024-11-21 05:06
Severity ?
Summary
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * | |
| liferay | liferay_portal | 6.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "726967CC-1BE0-48AB-8BD1-BE4B09ADFD36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "980981E7-41E3-4F67-A90C-4460BE4CA62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "597580A0-6E74-41D5-9242-9187AF618AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73CDC2CC-EE82-4010-88E5-EDC175DA4D47",
"versionEndExcluding": "7.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2:-:*:*:enterprise:*:*:*",
"matchCriteriaId": "45888C16-DD71-4704-8DBF-BEAF9778DFDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property \u0027portlet.resource.id.banned.paths.regexp\u0027 can be bypassed with doubled encoded URLs."
},
{
"lang": "es",
"value": "En Liferay Portal versiones anteriores a 7.3.1, Liferay Portal versi\u00f3n 6.2 EE y Liferay DXP versi\u00f3n 7.2, DXP ??versi\u00f3n 7.1 y DXP versi\u00f3n 7.0, la propiedad \"portlet.resource.id.banned.paths.regexp\" puede ser omitida con unas URL codificadas duplicadas."
}
],
"id": "CVE-2020-15840",
"lastModified": "2024-11-21T05:06:17.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-24T15:15:14.080",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17046"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 21:18
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F975792-5DD1-4202-A0E8-EEC7CB49C656",
"versionEndExcluding": "7.4.3.98",
"versionStartIncluding": "7.4.3.44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7B3A5E2-23CE-45A8-BD01-77024EB9F9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the \u201cBlocked Email Domains\u201d text field"
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) reflejado en la configuraci\u00f3n de instancia para cuentas en Liferay Portal 7.4.3.44 a 7.4.3.97, y Liferay DXP 2023.Q3 antes del parche 6, y 7.4 actualizaci\u00f3n 44 a 92 permite a atacantes remotos inyectar script arbitrarios o HTML a trav\u00e9s de un payload manipulado inyectado en el campo de texto \"Dominios de correo electr\u00f3nico bloqueados\""
}
],
"id": "CVE-2023-40191",
"lastModified": "2025-01-28T21:18:13.967",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:07.870",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 02:43
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un campo manipulado de redirecci\u00f3n a modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp."
}
],
"id": "CVE-2016-10404",
"lastModified": "2024-11-21T02:43:56.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.190",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 02:15
Modified
2024-11-21 07:24
Severity ?
Summary
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C01C7D38-BC12-4921-ADE6-799945887D66",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Insecure Direct Object Reference (IDOR) en el m\u00f3dulo Dynamic Data Mapping en Liferay Portal 7.3.2 hasta 7.4.3.4, y Liferay DXP 7.3 antes de la actualizaci\u00f3n 4, y 7.4 GA permite a usuarios remotos autenticados ver y acceder a entradas de formulario a trav\u00e9s del par\u00e1metro `formInstanceRecordId`."
}
],
"id": "CVE-2022-42129",
"lastModified": "2024-11-21T07:24:25.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T02:15:11.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17448"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17448"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-07 19:55
Modified
2024-11-21 01:26
Severity ?
Summary
Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "8AEE2383-4164-4729-8A51-EC4F5C4CB086",
"versionEndIncluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "36D6FB97-DA02-4BE8-9546-2676F79BD9BA",
"versionEndIncluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en XSL Content portlet en Liferay Portal Community Edition (CE) v5.x y v6.x anterior a v6.0.6 GA, cuando Apache Tomcat es utilizado, permite a atacantes remotos ejecutar comandos arbitrarios a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2011-1571",
"lastModified": "2024-11-21T01:26:37.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-07T19:55:01.120",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-14726"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-14726"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 00:15
Modified
2024-11-21 06:58
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5A3A8F5E-502D-4BB3-9D19-E73FF74C00E3",
"versionEndExcluding": "7.4.3.4",
"versionStartIncluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en Liferay Portal versiones v7.3.3 hasta v7.4.2 y Liferay DXP versiones v7.3 anteriores a service pack 3 permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga \u00fatil dise\u00f1ada inyectada en el nombre de una etiqueta"
}
],
"id": "CVE-2022-28982",
"lastModified": "2024-11-21T06:58:17.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T00:15:09.947",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-01-07 20:30
Modified
2024-11-21 01:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://issues.liferay.com/browse/LPS-6034 | Vendor Advisory | |
| cret@cert.org | http://www.kb.cert.org/vuls/id/750796 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://issues.liferay.com/browse/LPS-6034 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/750796 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74E57653-597F-46AE-9C24-F20C6A19D567",
"versionEndIncluding": "5.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Liferay Portal anterior a v5.3.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del par\u00e1metro p_p_id"
}
],
"id": "CVE-2009-3742",
"lastModified": "2024-11-21T01:08:05.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-01-07T20:30:00.293",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-6034"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/750796"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-6034"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/750796"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 14:15
Modified
2024-11-21 08:06
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0144D43C-D0E8-4D25-A6AC-81CFD2278DFB",
"versionEndIncluding": "7.4.3.30",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App\u0027s IFrame URL."
}
],
"id": "CVE-2023-33940",
"lastModified": "2024-11-21T08:06:14.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T14:15:09.697",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33940"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33940"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 13:15
Modified
2025-01-28 21:36
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB1BD676-9B8D-44B0-9EAA-777EC43859DB",
"versionEndIncluding": "7.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC7C6A95-F6F4-40F0-AEB7-66A575A949EE",
"versionEndExcluding": "7.4.3.26",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via \u0027Liferay-Portal` response header."
},
{
"lang": "es",
"value": "En Liferay Portal 7.2.0 a 7.4.3.25 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 26, 7.3 antes de la actualizaci\u00f3n 5, 7.2 antes del fixpack 19 y versiones anteriores no compatibles, el valor predeterminado de la propiedad del portal `http.header.version.verbosity` est\u00e1 configurado en `full`, lo que permite a atacantes remotos identificar f\u00e1cilmente la versi\u00f3n de la aplicaci\u00f3n que se est\u00e1 ejecutando y las vulnerabilidades que afectan a esa versi\u00f3n a trav\u00e9s del encabezado de respuesta \u0027Liferay-Portal`."
}
],
"id": "CVE-2024-26267",
"lastModified": "2025-01-28T21:36:47.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T13:15:08.843",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 11:15
Modified
2024-11-21 06:00
Severity ?
Summary
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | 7.3.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2B842A08-1EDB-4232-89C9-9B966E251B3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Liferay Portal versi\u00f3n 7.3.5 y Liferay DXP versiones 7.3 anteriores a fixpack 1, permiten a usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio del par\u00e1metro classPKField para (1) el archivo CommerceChannelRelFinder.countByC_C, o (2) el archivo CommerceChannelRelFinder.findByC_C"
}
],
"id": "CVE-2021-29053",
"lastModified": "2024-11-21T06:00:36.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T11:15:07.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-02 23:15
Modified
2024-11-21 06:16
Severity ?
Summary
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17191 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17191 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "54016156-94AF-4EE7-9165-D7C4705A2BF2",
"versionEndIncluding": "7.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "6F20D93D-7FB2-4D5F-9249-4DECDE473C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "CF0821E5-B6E5-44E6-9CF7-77EAE982F677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "1B24B6A1-8439-49D6-8E78-193144F3DCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "7E82A6CC-891C-4619-84EA-0DA96E4043C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "70E12054-0DEE-4B92-B8F6-7DC4B2461113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "3B566A51-3EFC-4A08-8A4F-A9AA43FBE481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "FE1A8781-6B16-4D37-B556-36B99CBCA9F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "3EE11B43-1629-4A22-BE88-0AFB2DFC528C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "10FC6F33-C031-40A4-AFAF-B5CF30F79E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "99B99578-CACE-47D2-9C1E-A7BBD2B6F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "950D98A8-88EE-4C99-817B-C418071B2819",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "F86FF50F-B21A-4B6E-88B8-90D0C042E942",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "CE0E1891-6E76-4069-B412-43B5E5379E0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "404F5FFE-2758-452F-9297-40E0533C6FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "3F5B7E72-8D62-464A-AA82-CBE2625C7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "4FA67C68-3E8E-4383-967F-A1FA55AE4897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "F220793A-FDAC-48C6-B299-39EB3BC077A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "F095A9E1-5FE1-46C4-B0E1-97F8767439D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "DFD748DD-6FDB-44CD-96BF-026D18CE4207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "0A34F2EA-D0F7-4C9B-BFE6-DA334DFD0EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "4B3C2426-7617-4535-B86A-7F9BA45DFD0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_29:*:*:*:*:*:*",
"matchCriteriaId": "88A5CBCE-2BAE-44C7-A7BF-BC30C89839BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "CA6B2500-42E4-4F87-8B93-2F7399B4F611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "28955834-8E02-4558-ABD3-4958DBB41423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_31:*:*:*:*:*:*",
"matchCriteriaId": "89B4F926-5018-4C50-9569-A92BEA6364A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_32:*:*:*:*:*:*",
"matchCriteriaId": "863C4DBB-9BA2-4A13-8394-08AC500D552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "C4206C84-C4BD-4363-A4CA-EE229CE06319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_34:*:*:*:*:*:*",
"matchCriteriaId": "54CA9915-54C2-4E7F-85AF-781CA0A63A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "4F644864-1056-4A0C-ADD7-A1992A0AC07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "91E9BAE9-CD40-4353-95DB-7D9ADC338F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_37:*:*:*:*:*:*",
"matchCriteriaId": "C2A29CA0-66CB-4ED9-87B3-57A1C04F59F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_38:*:*:*:*:*:*",
"matchCriteriaId": "2BFC882E-25C2-46A3-A0DA-A779399A3A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "661E68A2-B365-4962-87CF-CE17A500889F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "D4094372-E950-4DE0-86D2-CE7F214FD3A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "A5D28279-002A-4BC7-9396-E47FC842D7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "C700ED72-4626-48A0-B1BB-E0A7C12D454F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "8F473DF1-F70D-4EDB-A011-C8D1C6A21659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "C2351EAC-F6AD-4611-B9BD-39C4DFE85B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "357845C1-3834-465A-B9CA-F9C604AA8242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "DD35964D-4156-45B8-A0AB-282DA9F4FA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "35656567-EF24-4948-A72A-C754D6E419B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "E9A3D95D-4539-432D-B241-376F312534AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "81F329F1-5BB1-42A7-98CE-B0EB5819D60A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "5B7111FA-9FD7-4952-AFE1-07D3E14854F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D35916F1-24AA-4BF3-8B1F-2361C5B815D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "2C7A080F-9C99-41A0-BC63-EBDDC0DF7B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "0383C4C4-A7BB-418D-9A98-AC4233722961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "AA281A20-7599-446B-9587-118E920403D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "9514E8F5-1D0B-4CDF-BD03-087326F6C252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "78BC7D6C-2A10-4F78-9C41-EA97665C246E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_55:*:*:*:*:*:*",
"matchCriteriaId": "B2C29B11-D87B-4D78-9D42-AD528C811080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "CA9BE427-78D7-4DEE-A174-F3E3675B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "6C10325C-8670-499B-B003-7D8634539C5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "5F692BEB-5CB1-41EA-B715-64AB0036F6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "427C4DF5-9039-4CB5-B600-5F965E20D945",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "EDEE4B40-889C-472E-AA91-7E1B4314EE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "44B7A2A2-5764-4EDB-AA44-25F8508CF128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "55D94917-5360-4179-A017-1287C63A6E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_62:*:*:*:*:*:*",
"matchCriteriaId": "52C5C76D-2572-4ADF-B7E4-7B3444935658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_63:*:*:*:*:*:*",
"matchCriteriaId": "9ABFC91A-7A8D-4A08-9464-F534BAA69B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "1D378A23-113D-47AC-9CB5-2658C357FFB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "58FB119E-508C-45F7-8AD8-B67AAAEA53D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "8B3359A5-D39B-4322-8963-B138D791D232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "E11E2FBD-7541-4CE3-8A78-52FB82571547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "3883F470-8D8D-4CB3-BF4A-0C401BDABC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "1BDCF010-04BF-4FA5-9E14-F6461FED3FFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "3867FDAA-354E-4D2F-A260-27F31CA44C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "7E8CEA39-4A7F-4827-91FA-31119201D174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "D3768AC9-A245-4B81-8D1D-9D9C5354245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "71CA65C9-C0FC-4CBD-A8B0-DD72604A46F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "9F06DECA-F45D-49DA-BB24-AA1F0306B0B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_74:*:*:*:*:*:*",
"matchCriteriaId": "3BA69ED9-28FA-40B5-84F9-0FFE40DFC675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "6FF2D31F-8719-41A6-ADD5-15BE9409428E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "DE56F5E5-73CF-4636-9F98-86BDDA3F6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_77:*:*:*:*:*:*",
"matchCriteriaId": "CE4885B1-F912-4D06-8179-830FC011F3F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "A1A0EFCE-4B74-4B4D-AB6E-5730F26B38FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "F02DCC86-C3F7-482C-9BFB-B7971FB10AEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "A89B7EE4-57FD-4B09-841A-ABC9990FF88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "06835B0A-A2DF-44D3-A38F-59E5D5523FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "B746D0CF-76F6-42A1-9056-CA9622DCD806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "FFC33A7E-B1CB-4E83-B75C-71F5E7E5E406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "325CFFCF-1609-4D89-B6A8-1C6ACBFDD35B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "BD019A57-FC7A-4B1F-9946-FA15C90FC985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "A6B2CD3A-C39C-4F9A-8602-3EC75472181D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "1B8DCD85-0E47-44C1-B7DD-E1B4756CEC17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "1790D974-2EE0-4405-8F26-BB6DB3BDA23B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "416B3F04-AD86-4F91-890E-56BA539AAB06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "C12C0E4D-4E9A-4BD7-926E-74BCD42595B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "655A3A6A-A3EB-4864-B64D-2319E5CF7DA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP."
},
{
"lang": "es",
"value": "El m\u00f3dulo Portal Security en Liferay Portal 7.2.1 y anteriores, y Liferay DXP 7.0 antes del fix pack 90, 7.1 antes del fix pack 17 y 7.2 antes del fix pack 5 no importa correctamente los usuarios de LDAP, lo que permite a los atacantes remotos impedir que un usuario leg\u00edtimo se autentique al intentar iniciar sesi\u00f3n como un usuario que existe en LDAP"
}
],
"id": "CVE-2021-38266",
"lastModified": "2024-11-21T06:16:42.417",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-02T23:15:08.577",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17191"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17191"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 08:15
Modified
2024-12-10 23:01
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "831BFAEF-E7B6-4E84-9142-79B93FBA0E8A",
"versionEndExcluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user\u0027s full name from the page\u0027s title by enumerating user screen names."
},
{
"lang": "es",
"value": "Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el Panel de control en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior a la actualizaci\u00f3n 4, 7.2 anterior al fix pack 19 y las versiones anteriores no compatibles permiten a los usuarios autenticados remotamente obtener el nombre completo de un usuario a partir del t\u00edtulo de la p\u00e1gina enumerando los nombres de pantalla de los usuarios."
}
],
"id": "CVE-2024-25150",
"lastModified": "2024-12-10T23:01:58.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T08:15:07.290",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 09:15
Modified
2024-12-10 22:59
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E04E0EDA-8E18-43C3-A0B2-DF45B7CE811D",
"versionEndExcluding": "7.4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel."
},
{
"lang": "es",
"value": "Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anterior al service pack 3, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no comprueban correctamente los permisos de usuario, lo que permite a los usuarios autenticados remotamente con el permiso de usuario VER para editar su propio permiso a trav\u00e9s de la secci\u00f3n Usuarios y organizaciones del Panel de control."
}
],
"id": "CVE-2024-25604",
"lastModified": "2024-12-10T22:59:32.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T09:15:09.057",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-07 19:55
Modified
2024-11-21 01:26
Severity ?
Summary
Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://issues.liferay.com/browse/LPS-14927 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | http://openwall.com/lists/oss-security/2011/03/29/1 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://openwall.com/lists/oss-security/2011/04/08/5 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://openwall.com/lists/oss-security/2011/04/11/9 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://issues.liferay.com/browse/LPS-14927 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2011/03/29/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2011/04/08/5 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2011/04/11/9 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "36D6FB97-DA02-4BE8-9546-2676F79BD9BA",
"versionEndIncluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue."
},
{
"lang": "es",
"value": "Liferay Portal Community Edition (CE) v6.x anterior a v6.0.6 GA, cuando Apache Tomcat es utilizado, permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de una declaraci\u00f3n de entidad junto con una referencia de entidad, relacionado con un asunto XML External Entity (tambi\u00e9n conocido como XXE)"
}
],
"id": "CVE-2011-1502",
"lastModified": "2024-11-21T01:26:27.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-07T19:55:00.947",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-14927"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-14927"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 10:15
Modified
2024-11-21 08:25
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6204FB7B-6129-4E68-A811-6B51961C3D4A",
"versionEndExcluding": "7.4.3.90",
"versionStartIncluding": "7.4.3.41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de Cross-Site Scripting (XSS) reflejadas en el complemento para la clase OAuth2ProviderApplicationRedirect del m\u00f3dulo OAuth 2.0 en Liferay Portal v7.4.3.41 a 7.4.3.89 y Liferay DXP 7.4 actualizaci\u00f3n 41 a 89 permiten a atacantes remotos inyectar script web o HTML arbitrarios mediante el (1) c\u00f3digo o (2) el par\u00e1metro de error. Este problema se debe a una soluci\u00f3n incompleta en CVE-2023-33941."
}
],
"id": "CVE-2023-44311",
"lastModified": "2024-11-21T08:25:38.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T10:15:09.947",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-16 04:15
Modified
2024-11-21 06:09
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/fu2x2000/Liferay_exploit_Poc | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fu2x2000/Liferay_exploit_Poc | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 6.2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "031C44B4-DAA7-4A54-819C-C96B9B2D16BA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 6.2.5 allows Command=FileUpload\u0026Type=File\u0026CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file."
}
],
"id": "CVE-2021-33990",
"lastModified": "2024-11-21T06:09:51.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-16T04:15:07.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fu2x2000/Liferay_exploit_Poc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fu2x2000/Liferay_exploit_Poc"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-04 13:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E98D77D-3439-437B-AB97-EEDBB70BE03B",
"versionEndExcluding": "7.3.4",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Journal module\u0027s add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el men\u00fa de adici\u00f3n de art\u00edculos del m\u00f3dulo Journal en Liferay Portal versiones 7.3.0 hasta 7.3.3, y Liferay DXP versiones 7.1 fix pack 18, y versiones 7.2 fix pack 5 hasta 7, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del par\u00e1metro _com_liferay_journal_web_portlet_JournalPortlet_name"
}
],
"id": "CVE-2021-33336",
"lastModified": "2024-11-21T06:08:43.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-04T13:15:08.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17078"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7B67012C-9345-40B8-9FB4-CF7AF5116420",
"versionEndExcluding": "7.4.3.29",
"versionStartIncluding": "7.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI."
},
{
"lang": "es",
"value": "El m\u00f3dulo Asset Libraries en Liferay Portal 7.3.5 a 7.4.3.28, y Liferay DXP 7.3 antes de la actualizaci\u00f3n 8, y DXP 7.4 antes de la actualizaci\u00f3n 29 no verifica correctamente los permisos de las librer\u00edas de activos, lo que permite a los usuarios remotos autenticados ver las librer\u00edas de activos a trav\u00e9s de la interfaz de usuario."
}
],
"id": "CVE-2022-42126",
"lastModified": "2024-11-21T07:24:25.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17593"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C01C7D38-BC12-4921-ADE6-799945887D66",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the \u0027name\u0027 field of a layout prototype."
},
{
"lang": "es",
"value": "Vulnerabilidad ReDoS en LayoutPageTemplateEntryUpgradeProcess en Liferay Portal 7.3.2 hasta 7.4.3.4 y Liferay DXP 7.2 fix pack 9 hasta fix pack 18, 7.3 antes de la actualizaci\u00f3n 4 y DXP 7.4 GA permite a atacantes remotos consumir una cantidad excesiva de recursos del servidor a trav\u00e9s de un payload manipulado inyectado en el campo \u0027nombre\u0027 de un prototipo de dise\u00f1o."
}
],
"id": "CVE-2022-42124",
"lastModified": "2024-11-21T07:24:24.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.123",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17435"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17535"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17535"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "201470D2-65E1-40D7-B01B-35A03930BEEA",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en el m\u00f3dulo Portal Search en Liferay Portal 7.1.0 hasta 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 15 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metro \"etiqueta\"."
}
],
"id": "CVE-2022-42118",
"lastModified": "2024-11-21T07:24:23.750",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:12.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17342"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/brianchandotcom/liferay-portal/pull/47888 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/brianchandotcom/liferay-portal/pull/47888 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante una marcador URL."
}
],
"id": "CVE-2017-12648",
"lastModified": "2024-11-21T03:09:58.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47888"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/brianchandotcom/liferay-portal/pull/47579 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/brianchandotcom/liferay-portal/pull/47579 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un resumen o t\u00edtulo manipulado que no se administra correctamente en el Web Content Display."
}
],
"id": "CVE-2017-12649",
"lastModified": "2024-11-21T03:09:58.327",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.393",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/47579"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-02 23:29
Modified
2024-11-21 03:04
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "C731DAF9-91B5-4C31-B12A-87CB6A688051",
"versionEndExcluding": "7.0.3_ga4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the \"movie\" parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la p\u00e1gina /html/portal/flash.jsp en Liferay Portal CE 7.0 GA4 y anteriores permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un URI javascript: en el par\u00e1metro \"movie\"."
}
],
"id": "CVE-2017-1000425",
"lastModified": "2024-11-21T03:04:42.843",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-02T23:29:00.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7030-multiple-xss-vulnerabilities-in-7-0-ce-ga4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860a43d18c031"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-22 15:15
Modified
2024-12-10 21:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "935D404E-76A6-4405-8A74-0E70E50C3FCC",
"versionEndExcluding": "2023.q3.6",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3758E9CF-12EC-4025-85BB-1D5EEA99359A",
"versionEndExcluding": "2023.q4.3",
"versionStartIncluding": "2023.q4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2BF93004-E003-45A8-A84A-86710D138F3F",
"versionEndExcluding": "7.4.3.104",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Request Forgery (CSRF) en el editor de p\u00e1ginas de contenido en Liferay Portal 7.4.0 a 7.4.3.103, y Liferay DXP 2023.Q4.0 a 2023.Q4.2, 2023.Q3.1 a 2023.Q3.5, 7.4 GA a la actualizaci\u00f3n 92 y 7.3 actualizaci\u00f3n 29 a la actualizaci\u00f3n 35 permite a atacantes remotos (1) cambiar las contrase\u00f1as de los usuarios, (2) apagar el servidor, (3) ejecutar c\u00f3digo arbitrario en la consola de scripts, (4) y realizar otras acciones administrativas a trav\u00e9s del par\u00e1metro _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect."
}
],
"id": "CVE-2024-26273",
"lastModified": "2024-12-10T21:07:07.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T15:15:05.937",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 11:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "A775E68D-A18E-433F-A9D0-AB6E71495936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E447EF84-77FA-448B-8E40-DB216B9B715E",
"versionEndIncluding": "7.3.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Site module\u0027s membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en las p\u00e1ginas de administraci\u00f3n de peticiones de membres\u00eda del m\u00f3dulo Site en Liferay Portal versiones 7.0.0 hasta 7.3.5, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anteriores al fixpack 10 y versiones 7.3 anteriores al fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments"
}
],
"id": "CVE-2021-29044",
"lastModified": "2024-11-21T06:00:35.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T11:15:07.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743548"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 09:15
Modified
2024-11-21 08:25
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96FC68D1-4118-42AB-B167-864FB0B4152D",
"versionEndExcluding": "7.4.3.53",
"versionStartIncluding": "7.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de Cross-Site Scripting (XSS) almacenadas en los componentes de fragmentos en Liferay Portal v7.4.2 hasta 7.4.3.53 y Liferay DXP 7.4 anterior a la actualizaci\u00f3n 54 permiten a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s de un payload manipulado inyectado en cualquier campo no-HTML de un recurso de origen vinculado."
}
],
"id": "CVE-2023-44309",
"lastModified": "2024-11-21T08:25:38.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T09:15:10.347",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 02:31
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CEECF72-6A24-43F5-BB80-6A2B38922920",
"versionEndExcluding": "7.4.3.38",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "6A773FC6-429D-483D-9736-25323B55A71F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "B6AAAAF1-994E-409D-8FC7-DE2A2CF60AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module\u0027s portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) en el portlet.js del m\u00f3dulo Frontend JS en Liferay Portal 7.2.0 hasta 7.4.3.37 y Liferay DXP 7.4 antes de la actualizaci\u00f3n 38, 7.3 antes de la actualizaci\u00f3n 11, 7.2 antes del fixpack 20 y versiones anteriores no compatibles permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s de la parte de anclaje (hash) de una URL."
}
],
"id": "CVE-2024-26269",
"lastModified": "2025-01-28T02:31:06.663",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:09.527",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 01:15
Modified
2024-11-21 06:58
Severity ?
Summary
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92A45267-93C8-47BC-A366-2A603FFB3546",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de ruta en el m\u00f3dulo Hypermedia REST APIs de Liferay Portal versiones 7.4.0 hasta 7.4.2, permite a atacantes remotos acceder a archivos fuera de com.liferay.headless.discovery.web/META-INF/resources por medio del par\u00e1metro \"parameter\""
}
],
"id": "CVE-2022-28981",
"lastModified": "2024-11-21T06:58:17.190",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T01:15:11.820",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28981-path-traversal-vulnerability-in-hypermedia-rest-apis"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 10:15
Modified
2024-12-11 17:55
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2855EC-0F83-4119-95BB-709C414D7E05",
"versionEndExcluding": "7.4.3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. This vulnerability is the result of an incomplete fix in CVE-2022-28977."
},
{
"lang": "es",
"value": "HtmlUtil.escapeRedirect en Liferay Portal 7.2.0 a 7.4.3.12 y versiones anteriores no compatibles, y Liferay DXP 7.4 anterior a la actualizaci\u00f3n 9, 7.3 service pack 3, 7.2 fixpack 15 a 18 y versiones anteriores no compatibles se pueden eludir usando dos barras diagonales, que permiten a atacantes remotos redirigir a los usuarios a URL externas arbitrarias a trav\u00e9s del (1) par\u00e1metro \u0027redirect` (2) el par\u00e1metro `FORWARD_URL` y (3) otros par\u00e1metros que dependen de HtmlUtil.escapeRedirect. Esta vulnerabilidad es el resultado de una soluci\u00f3n incompleta en CVE-2022-28977."
}
],
"id": "CVE-2024-25609",
"lastModified": "2024-12-11T17:55:21.677",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T10:15:08.707",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25609"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-19 02:15
Modified
2024-11-21 07:17
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| cve@mitre.org | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A46C2D9-63F5-41D7-A804-8B82093B805A",
"versionEndExcluding": "7.3",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*",
"matchCriteriaId": "355DD7FC-E9C7-43D6-8313-0474AB314F18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*",
"matchCriteriaId": "B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*",
"matchCriteriaId": "683D063A-0E32-4E2D-8CBF-A57F45071F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*",
"matchCriteriaId": "7DFEBCAB-1D9B-4BED-A2C6-11BA863F1EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0FF0E3A-B8C0-4867-9702-86F17ED4555A",
"versionEndIncluding": "7.4.3.28",
"versionStartIncluding": "7.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Document and Media - funcionalidad de descarga de archivos en Liferay Digital Experience Platform versi\u00f3n 7.3.10 SP3, permite a atacantes remotos inyectar scripts JS o HTML arbitrarias en el campo description del archivo svg descargado"
}
],
"id": "CVE-2022-38901",
"lastModified": "2024-11-21T07:17:15.060",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-19T02:15:09.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 22:15
Modified
2024-11-21 06:08
Severity ?
Summary
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17103 | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17103 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00C7CB5F-BB2C-4D9A-8AEF-1DA5AD3E307F",
"versionEndExcluding": "7.3.5",
"versionStartIncluding": "7.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user."
},
{
"lang": "es",
"value": "Una vulnerabilidad de escalada de privilegios en Liferay Portal versiones 7.0.3 hasta 7.3.4, y Liferay DXP versiones 7.1 anteriores a fix pack 20, y versiones 7.2 anteriores a fix pack 9, permite a usuarios autenticados remotos con permiso para actualizar y editar a usuarios tomar el control de una cuenta de usuario de administrador de la empresa al editar al usuario administrador de la empresa"
}
],
"id": "CVE-2021-33335",
"lastModified": "2024-11-21T06:08:43.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T22:15:09.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17103"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPS-72307 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPS-72307 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un portletId no v\u00e1lido."
}
],
"id": "CVE-2017-12645",
"lastModified": "2024-11-21T03:09:57.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.250",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPS-72307"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPS-72307"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 14:15
Modified
2025-01-28 21:17
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9937F532-8A20-4311-A90A-A341DE318518",
"versionEndExcluding": "7.4.3.102",
"versionStartIncluding": "7.4.3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7B3A5E2-23CE-45A8-BD01-77024EB9F9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document\u0027s \u201cTitle\u201d text field."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en el widget Documentos y Medios en Liferay Portal 7.4.3.18 a 7.4.3.101, y Liferay DXP 2023.Q3 antes del parche 6, y 7.4 actualizaciones 18 a 92 permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a trav\u00e9s de un payload manipulado inyectado en el campo de texto \"T\u00edtulo\" de un documento."
}
],
"id": "CVE-2023-47795",
"lastModified": "2025-01-28T21:17:39.030",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T14:15:45.677",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 00:15
Modified
2024-11-21 06:58
Severity ?
Summary
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71B2CB88-0B25-4CFC-A223-B740E2847FD3",
"versionEndExcluding": "7.4.3.4",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field."
},
{
"lang": "es",
"value": "Se ha detectado que Liferay Portal versioens v7.1.0 hasta v7.4.2 y Liferay DXP versiones 7.1 antes del fix pack 26, 7.2 antes del fix pack 15 y 7.3 antes del service pack 3 contienen una vulnerabilidad de cross-site scripting (XSS) en el widget Custom Facet del m\u00f3dulo Portal Search. Esta vulnerabilidad permite a los atacantes ejecutar scripts web o HTML arbitrarios a trav\u00e9s de una carga \u00fatil manipulada inyectada en el campo de texto Custom Parameter Name"
}
],
"id": "CVE-2022-28979",
"lastModified": "2024-11-21T06:58:16.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T00:15:09.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17381"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17381"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-07 15:15
Modified
2024-11-21 09:00
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * | |
| liferay | liferay_portal | * | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BC18F4F-2284-4E3E-B8AC-8EDE1649C635",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "50EA838E-E234-4EE1-8193-5FAD0E093940",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "ADB5F13C-EE1E-4448-8FCF-5966F6874440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "345F6776-E492-489C-AC23-760BBC693A4F",
"versionEndIncluding": "7.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13F59EAA-9EC8-44CC-8F56-BC26981F584F",
"versionEndIncluding": "7.3.7",
"versionStartIncluding": "7.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DCE033F-5706-4060-8ED1-BB386019325D",
"versionEndExcluding": "7.4.3.12",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app\u0027s search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application."
},
{
"lang": "es",
"value": "Vulnerabilidad de cross-site scripting (XSS) almacenado en la aplicaci\u00f3n Resultados de b\u00fasqueda del m\u00f3dulo Portal Search en Liferay Portal 7.2.0 a 7.4.3.11 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 8, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 17 y versiones anteriores no compatibles permiten a los usuarios autenticados remotamente inyectar scripts web o HTML arbitrario en el resultado de b\u00fasqueda de la aplicaci\u00f3n Resultados de b\u00fasqueda si el resaltado est\u00e1 deshabilitado agregando cualquier contenido que permita realizar b\u00fasquedas (por ejemplo, blog, mensaje en el tablero de mensajes, art\u00edculo de contenido web) a la aplicaci\u00f3n."
}
],
"id": "CVE-2024-25145",
"lastModified": "2024-11-21T09:00:20.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-07T15:15:09.097",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-22 11:29
Modified
2024-11-21 04:21
Severity ?
Summary
An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.2:ga3:*:*:*:*:*:*",
"matchCriteriaId": "0B3B7D03-C4E0-4FAE-8BD9-04F12B1E7B50",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay\u0027s Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by \"def cmd =\" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Fue encontrado un problema en Liferay Portal CE 7.1.2 GA3. Un atacante puede usar la consola de script Groovy de Liferay para ejecutar comandos del sistema operativo. Los comandos se pueden ejecutar mediante una llamada a [command].execute(), como lo demuestra \"def cmd =\" ??en el valor ServerAdminPortlet_script hacia group/control_panel/manage. Se requieren credenciales v\u00e1lidas para una cuenta de usuario administrador de la aplicaci\u00f3n. NOTA: El desarrollador cuestiona esto como una vulnerabilidad, ya que es una caracter\u00edstica para que los administradores ejecuten scripts en groovy , y en consecuencia, no es una fallo de dise\u00f1o."
}
],
"id": "CVE-2019-11444",
"lastModified": "2024-11-21T04:21:05.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T11:29:05.830",
"references": [
{
"source": "cve@mitre.org",
"url": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-console"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46525"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 17:15
Modified
2024-11-21 08:06
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7BD9AEF-1599-49B1-85E8-0B0DB56CE4C0",
"versionEndIncluding": "7.4.3.76",
"versionStartIncluding": "7.4.3.48",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs."
}
],
"id": "CVE-2023-33950",
"lastModified": "2024-11-21T08:06:16.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T17:15:10.007",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 05:15
Modified
2025-02-12 18:51
Severity ?
Summary
Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "B6AAAAF1-994E-409D-8FC7-DE2A2CF60AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "D70C8521-473E-4AA4-BBE8-02BED236383B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "513C4959-418A-4E06-B0BC-5E812FEECC31",
"versionEndExcluding": "7.4.3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page."
},
{
"lang": "es",
"value": "Liferay Portal anterior a 7.4.3.16 y Liferay DXP anterior a 7.2 fixpack 19, 7.3 anterior a la actualizaci\u00f3n 6 y 7.4 anterior a la actualizaci\u00f3n 16 permiten a los usuarios autenticados remotamente convertirse en propietarios de una p\u00e1gina wiki editando la p\u00e1gina wiki."
}
],
"id": "CVE-2022-45320",
"lastModified": "2025-02-12T18:51:52.663",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T05:15:07.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-45320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-45320"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 13:15
Modified
2024-11-21 08:22
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBB14237-26BD-48B6-9FE6-3CBC8DB49A0D",
"versionEndExcluding": "7.4.3.92",
"versionStartIncluding": "7.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de Cross-Site Scripting (XSS) almacenados en el m\u00f3dulo Commerce en Liferay Portal 7.3.5 hasta 7.4.3.91, y Liferay DXP 7.3 actualizaci\u00f3n 33 y anteriores, y 7.4 antes de la actualizaci\u00f3n 92 permiten a atacantes remotos inyectar scripts web o HTML arbitrarios mediante un payload manipulado inyectado en (1) Nombre de Env\u00edo, (2) N\u00famero de Tel\u00e9fono de Env\u00edo, (3) Direcci\u00f3n de Env\u00edo, (4) Direcci\u00f3n de Env\u00edo 2, (5) Direcci\u00f3n de Env\u00edo 3, (6) C\u00f3digo Postal de Env\u00edo, (7) Ciudad de Env\u00edo , (8) Regi\u00f3n de Env\u00edo (9), Pa\u00eds de Env\u00edo, (10) Nombre de Facturaci\u00f3n, (11) N\u00famero de Tel\u00e9fono de Facturaci\u00f3n, (12) Direcci\u00f3n de Facturaci\u00f3n, (13) Direcci\u00f3n de Facturaci\u00f3n 2, (14) Direcci\u00f3n de Facturaci\u00f3n 3, (15) Facturaci\u00f3n C\u00f3digo Postal, (16) Ciudad de Facturaci\u00f3n, (17) Regi\u00f3n de Facturaci\u00f3n, (18) Pa\u00eds de Facturaci\u00f3n o (19) C\u00f3digo de Regi\u00f3n."
}
],
"id": "CVE-2023-42627",
"lastModified": "2024-11-21T08:22:50.247",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T13:15:11.677",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627"
},
{
"source": "security@liferay.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 15:15
Modified
2024-11-21 08:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | 7.4.3.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.3.50:*:*:*:*:*:*:*",
"matchCriteriaId": "85FAEA65-56C6-49F2-9F40-207496267879",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Web Content Display widget\u0027s article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article\u0027s `Title` field."
}
],
"id": "CVE-2023-33942",
"lastModified": "2024-11-21T08:06:15.487",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T15:15:09.807",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-17 21:15
Modified
2025-01-28 21:18
Severity ?
Summary
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA343855-76B8-47E3-BBB3-31374B1CD8BA",
"versionEndExcluding": "7.4.3.39",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DDBD8B4-51C6-4D66-8B59-E61BEDF90D30",
"versionEndExcluding": "7.4",
"versionStartIncluding": "7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field"
},
{
"lang": "es",
"value": "La vulnerabilidad de cross-site scripting (XSS) reflejado en Liferay Portal 7.1.0 a 7.4.3.38 y Liferay DXP 7.4 GA a la actualizaci\u00f3n 38, 7.3 GA a la actualizaci\u00f3n 36, 7.2 GA a la actualizaci\u00f3n 20 y 7.1 GA a la actualizaci\u00f3n 28 permite a atacantes remotos ejecutar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del campo de nombre de Dispatch"
}
],
"id": "CVE-2024-11993",
"lastModified": "2025-01-28T21:18:09.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"automatable": "NOT_DEFINED",
"availabilityRequirements": "NOT_DEFINED",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityRequirements": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirements": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubsequentSystemAvailability": "NOT_DEFINED",
"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
"modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnerableSystemAvailability": "NOT_DEFINED",
"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
"modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"recovery": "NOT_DEFINED",
"safety": "NOT_DEFINED",
"subsequentSystemAvailability": "NONE",
"subsequentSystemConfidentiality": "LOW",
"subsequentSystemIntegrity": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"vulnerableSystemAvailability": "NONE",
"vulnerableSystemConfidentiality": "LOW",
"vulnerableSystemIntegrity": "LOW"
},
"source": "security@liferay.com",
"type": "Secondary"
}
]
},
"published": "2024-12-17T21:15:07.013",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 09:15
Modified
2024-12-10 22:20
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E04E0EDA-8E18-43C3-A0B2-DF45B7CE811D",
"versionEndExcluding": "7.4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API."
},
{
"lang": "es",
"value": "El m\u00f3dulo Journal en Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 17 y versiones anteriores no compatibles otorga a los usuarios invitados permiso de visualizaci\u00f3n del contenido web plantillas de forma predeterminada, lo que permite a atacantes remotos ver cualquier plantilla a trav\u00e9s de la interfaz de usuario o API."
}
],
"id": "CVE-2024-25605",
"lastModified": "2024-12-10T22:20:47.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T09:15:09.323",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 02:15
Modified
2025-01-28 21:26
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "831BFAEF-E7B6-4E84-9142-79B93FBA0E8A",
"versionEndExcluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in Users Admin module\u0027s edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization\u2019s \u201cName\u201d text field"
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) almacenadas en la p\u00e1gina de edici\u00f3n de usuario del m\u00f3dulo Users Admin en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 17 y anteriores no compatibles Las versiones permiten a usuarios remotos autenticados inyectar script web o HTML arbitrarios a trav\u00e9s de un payload manipulado inyectado en el campo de texto \"Nombre\" de una organizaci\u00f3n."
}
],
"id": "CVE-2024-25602",
"lastModified": "2025-01-28T21:26:27.113",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T02:15:30.267",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF5BFC45-3970-43D5-A064-D8785677E26C",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25C6FBAD-AECD-4DE9-9C2F-6A935540FCA5",
"versionEndIncluding": "7.3.6",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Blogs module\u0027s edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter."
},
{
"lang": "es",
"value": "La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la p\u00e1gina de edici\u00f3n de entradas de blog del m\u00f3dulo Blogs en Liferay Portal 7.3.2 a 7.3.6, y Liferay DXP 7.3 antes del paquete de correcciones 2 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title y _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle"
}
],
"id": "CVE-2021-38267",
"lastModified": "2024-11-21T06:16:42.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:08.067",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entry"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-08 03:15
Modified
2024-11-21 08:30
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "219ADF32-211D-463B-8624-C1C521918363",
"versionEndExcluding": "7.3.0",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked."
},
{
"lang": "es",
"value": "El bloqueo de cuentas en Liferay Portal 7.2.0 a 7.3.0 y versiones anteriores no compatibles, y Liferay DXP 7.2 anterior al fixpack 5 y versiones anteriores no compatibles no invalida las sesiones de usuario existentes, lo que permite a los usuarios autenticados remotamente permanecer autenticados despu\u00e9s de que se haya bloqueado una cuenta."
}
],
"id": "CVE-2023-47798",
"lastModified": "2024-11-21T08:30:49.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T03:15:07.367",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17007 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590 | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17007 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590 | Patch, Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73CDC2CC-EE82-4010-88E5-EDC175DA4D47",
"versionEndExcluding": "7.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails"
},
{
"lang": "es",
"value": "El m\u00f3dulo Flags en Liferay Portal versiones 7.3.1 y anteriores, y Liferay DXP versiones 7.0 anteriores a fix pack 96, versiones 7.1 anteriores a fix pack 20, y versiones 7.2 anteriores a fix pack 5, no limita la velocidad a la que el contenido puede ser marcado como inapropiado, que permite a usuarios autenticado remoto hacer spam al administrador del sitio con correos electr\u00f3nicos"
}
],
"id": "CVE-2021-33320",
"lastModified": "2024-11-21T06:08:40.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.557",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17007"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17007"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-20 02:15
Modified
2024-11-21 05:06
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-16928 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-16928 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "726967CC-1BE0-48AB-8BD1-BE4B09ADFD36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "980981E7-41E3-4F67-A90C-4460BE4CA62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "597580A0-6E74-41D5-9242-9187AF618AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B61E29C-3071-41EF-9774-185F91282DEB",
"versionEndExcluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server\u0027s password via the Test LDAP Connection feature."
},
{
"lang": "es",
"value": "Liferay Portal versiones anteriores a 7.3.0, y Liferay DXP versi\u00f3n 7.0 anterior al paquete de correcci\u00f3n 89, versi\u00f3n 7.1 anterior al paquete de correcci\u00f3n 17, y versi\u00f3n 7.2 anterior al paquete de correcci\u00f3n 4, no prueba de forma segura una conexi\u00f3n a un servidor LDAP, lo que permite a los atacantes remotos obtener la contrase\u00f1a del servidor LDAP a trav\u00e9s de la funci\u00f3n Probar conexi\u00f3n LDAP"
}
],
"id": "CVE-2020-15841",
"lastModified": "2024-11-21T05:06:17.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-20T02:15:11.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16928"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16928"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317439"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 06:15
Modified
2025-01-28 21:34
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7B3A5E2-23CE-45A8-BD01-77024EB9F9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C96C4DE-61AD-4E88-81BF-8A4F50F06AA5",
"versionEndExcluding": "7.4.3.102",
"versionStartIncluding": "7.4.3.45",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Countries Management\u2019s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de redireccionamiento abierto en la p\u00e1gina de edici\u00f3n de regi\u00f3n de Gesti\u00f3n de Pa\u00edses en Liferay Portal 7.4.3.45 a 7.4.3.101, y Liferay DXP 2023.Q3 antes del parche 6, y 7.4 actualizaci\u00f3n 45 a 92 permite a atacantes remotos redirigir a los usuarios a URL externas arbitrarias a trav\u00e9s de _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect par\u00e1metro."
}
],
"id": "CVE-2023-5190",
"lastModified": "2025-01-28T21:34:19.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T06:15:07.680",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-5190"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-5190"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 12:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38A0581E-BA9F-4B6D-AFEE-28AAA8CE31F6",
"versionEndIncluding": "7.3.5",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la aplicaci\u00f3n Asset Publisher del m\u00f3dulo Asset en Liferay Portal versiones 7.2.1 hasta 7.3.5, y Liferay DXP versiones 7.1 anteriores a fixpack 21, versiones 7.2 anteriores a fixpack 10 y versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId"
}
],
"id": "CVE-2021-29051",
"lastModified": "2024-11-21T06:00:36.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T12:15:07.460",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 02:15
Modified
2025-01-28 21:25
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69440C19-B9E7-41F3-B731-B5C7E37C718A",
"versionEndExcluding": "7.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) en HtmlUtil.escapeJsLink en Liferay Portal 7.2.0 a 7.4.1 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al service pack 3, 7.2 anterior al fix pack 15 y versiones anteriores no compatibles, permite a atacantes remotos para inyectar script web o HTML arbitrarias a trav\u00e9s de enlaces de estilo javascript: manipulados."
}
],
"id": "CVE-2024-25147",
"lastModified": "2025-01-28T21:25:53.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T02:15:29.750",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17100 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17100 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12EC8A39-0B8D-47C4-8F54-CB00028EAF3F",
"versionEndExcluding": "7.3.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en la p\u00e1gina de edici\u00f3n de vocabulario del m\u00f3dulo Asset en Liferay Portal versiones 7.0.0 hasta 7.3.4, y Liferay DXP versiones 7.0 anteriores a fix pack 96, versiones 7.1 anteriores a fix pack 20, y versiones 7. 2 anteriores a fix pack 9, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de los par\u00e1metros (1) _com_liferay_journal_web_portlet_JournalPortlet_name o (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name"
}
],
"id": "CVE-2021-33328",
"lastModified": "2024-11-21T06:08:42.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.823",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17100"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-07 13:29
Modified
2024-11-21 03:42
Severity ?
Summary
Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cxsecurity.com/issue/WLB-2018050029 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cxsecurity.com/issue/WLB-2018050029 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D97B5A0-EC01-491E-B2F7-C051A05AB588",
"versionEndIncluding": "6.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Liferay en versiones 6.2.x y anteriores tiene una configuraci\u00f3n FCKeditor que permite que un atacante suba o transfiera archivos de tipo peligroso que pueden procesarse autom\u00e1ticamente en el entorno del producto mediante un URI browser/liferay/browser.html?Type= o html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html. NOTA: el fabricante discute este problema debido a que la subida de archivos es una funcionalidad esperada, sujeta a las comprobaciones de control de acceso basado en roles, donde solo los usuarios autenticados con permisos adecuados pueden subir archivos."
}
],
"id": "CVE-2018-10795",
"lastModified": "2024-11-21T03:42:02.580",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-07T13:29:00.220",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2018050029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2018050029"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0B6536-11D4-48A1-8EC8-FCDFFFD07540",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "36D56850-2946-4852-8199-6987C873AF18",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true."
},
{
"lang": "es",
"value": "Una configuraci\u00f3n no segura predeterminada en Liferay Portal versiones 6.2.3 hasta 7.3.2, y Liferay DXP versiones anteriores a 7.3, permite a atacantes remotos enumerar la direcci\u00f3n de correo electr\u00f3nico del usuario por medio de la funcionalidad forgot password. La funci\u00f3n portal.property login.secure.forgot.password deber\u00eda estar por defecto en true"
}
],
"id": "CVE-2021-33321",
"lastModified": "2024-11-21T06:08:41.063",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "268D0391-AFD2-4AE1-810E-C28046F9FF65",
"versionEndIncluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7687E8-644C-432E-8AC2-70C913C077D9",
"versionEndIncluding": "7.3.6",
"versionStartIncluding": "7.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo Asset de Liferay Portal 7.3.4 a 7.3.6 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios al crear una p\u00e1gina de colecci\u00f3n a trav\u00e9s del par\u00e1metro _com_liferay_asset_list_web_portlet_AssetListPortlet_title"
}
],
"id": "CVE-2021-38265",
"lastModified": "2024-11-21T06:16:42.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:08.020",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38265-stored-xss-with-collection-name"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 14:15
Modified
2024-11-21 05:38
Severity ?
Summary
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "6F3ED980-C91C-4A2F-944D-207C6C78981C",
"versionEndIncluding": "7.2.1",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1."
},
{
"lang": "es",
"value": "En LifeRay Portal CE versiones 7.1.0 hasta 7.2.1 GA2, los campos First Name, Middle Name, y Last Name para las cuentas de usuario en MyAccountPortlet son vulnerables a un problema de tipo XSS persistente. Cualquier usuario puede modificar estos campos con una carga \u00fatil XSS particular, y ser\u00e1 almacenada en la base de datos. La carga \u00fatil entonces ser\u00e1 renderizada cuando un usuario utilice la funcionalidad search para buscar a otros usuarios (es decir, si se presenta un usuario con campos modificados en los resultados de la b\u00fasqueda). Este problema fue corregido en el Portal Liferay CE versi\u00f3n 7.3.0 GA1"
}
],
"id": "CVE-2020-7934",
"lastModified": "2024-11-21T05:38:02.303",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T14:15:14.943",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 08:15
Modified
2024-11-21 08:22
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "33B0E975-ED31-45BF-AE6F-D614E03A1F40",
"versionEndExcluding": "7.4.3.86",
"versionStartIncluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) reflejada en la p\u00e1gina \"Export for Translation\" en Liferay Portal 7.4.3.4 hasta 7.4.3.85, y Liferay DXP 7.4 anterior a la actualizaci\u00f3n 86 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metro `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect`."
}
],
"id": "CVE-2023-42497",
"lastModified": "2024-11-21T08:22:40.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T08:15:09.437",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 17:15
Modified
2024-11-21 08:06
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.0 | |
| liferay | digital_experience_platform | 7.1 | |
| liferay | digital_experience_platform | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39BA38ED-FF39-4795-9313-F920D16DD629",
"versionEndIncluding": "7.3.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don\u0027t control. The portal property `company.security.strangers.verify` should be set to true."
}
],
"id": "CVE-2023-33949",
"lastModified": "2024-11-21T08:06:16.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T17:15:09.933",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-10 19:15
Modified
2024-11-21 05:01
Severity ?
Summary
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17023 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411 | Patch, Vendor Advisory | |
| cve@mitre.org | https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17023 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1 | |
| liferay | liferay_portal | 7.1.1 | |
| liferay | liferay_portal | 7.2 | |
| liferay | liferay_portal | 7.3 | |
| liferay | liferay_portal | 7.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga1:*:*:community:*:*:*",
"matchCriteriaId": "AB4DACB5-6018-484E-B4D4-83A6070EB11E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "5309DDFD-9B58-437A-9ADF-D0A3F7B5328F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1:ga3:*:*:community:*:*:*",
"matchCriteriaId": "323159D4-B013-4F7F-951B-A9EEA14B67FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "040B88A2-3AB5-48F4-AEDD-A4579A172C36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
"matchCriteriaId": "EE4E1281-8507-42CB-9330-7D4B23247164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3CBB1548-87A9-433E-A9B1-E83ACD627DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3:ga2:*:*:community:*:*:*",
"matchCriteriaId": "BD811C1C-7736-4AED-A637-9A5DEF2E895B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates."
},
{
"lang": "es",
"value": "En Liferay Portal versiones anteriores a 7.3.2 y Liferay DXP versiones 7.0 anteriores a fixpack 92, versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 6, la API de plantilla no restringe el acceso del usuario a objetos confidenciales, lo que permite a usuarios autenticados remotos ejecutar c\u00f3digo arbitrario por medio de plantillas FreeMarker y Velocity dise\u00f1adas"
}
],
"id": "CVE-2020-13445",
"lastModified": "2024-11-21T05:01:17.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-10T19:15:09.943",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17023"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 02:47
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46868AAC-0BA9-43AB-9E7C-4080AFE04DF7",
"versionEndExcluding": "7.4.3.98",
"versionStartIncluding": "7.4.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7B3A5E2-23CE-45A8-BD01-77024EB9F9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de cross-site scripting (XSS) reflejado en la pantalla de edici\u00f3n de Language Override en Liferay Portal 7.4.3.8 a 7.4.3.97, y Liferay DXP 2023.Q3 antes del parche 5, y 7.4 actualizaci\u00f3n 4 a 92 permite a atacantes remotos inyectar scripts web arbitrarios o HTML a trav\u00e9s del par\u00e1metro _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key."
}
],
"id": "CVE-2023-42498",
"lastModified": "2025-01-28T02:47:39.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:08.240",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17520 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17520 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | 7.3.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "50EA838E-E234-4EE1-8193-5FAD0E093940",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "174B6D58-FBEA-4D06-8FBA-DE08B0DC6111",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo URL Amigable en Liferay Portal 7.3.7 y Liferay DXP 7.3 fixpack 2 hasta la actualizaci\u00f3n 4 permite a los atacantes ejecutar comandos SQL arbitrarios a trav\u00e9s de un payload manipulado inyectado en el campo \"t\u00edtulo\" de una URL amigable."
}
],
"id": "CVE-2022-42122",
"lastModified": "2024-11-21T07:24:24.393",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:12.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17520"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17520"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-22 15:15
Modified
2024-12-10 21:07
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C6F1E5B-1C88-49AD-8B34-6190F1C6684C",
"versionEndIncluding": "7.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01AC8CB4-9E89-40E6-B4F6-6F1BB36C855D",
"versionEndExcluding": "2023.q3.5",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7471D27F-6FDF-4214-9DAF-CC68CE6DB80D",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74992E49-BDF7-4AE0-A1F1-A2DD59ED6F2D",
"versionEndExcluding": "7.1.3",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7CAF8FC-6334-48FD-A3E0-83EE307A5210",
"versionEndIncluding": "7.2.1",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13F59EAA-9EC8-44CC-8F56-BC26981F584F",
"versionEndIncluding": "7.3.7",
"versionStartIncluding": "7.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79CB407F-11CB-45E9-AE4D-5926AE59EA0F",
"versionEndExcluding": "7.4.3.102",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173\n does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability."
},
{
"lang": "es",
"value": "La consola de scripts en Liferay Portal 7.0.0 a 7.4.3.101, y Liferay DXP 2023.Q3.1 a 2023.Q3.4, 7.4 GA a la actualizaci\u00f3n 92, 7.3 GA a la actualizaci\u00f3n 35, 7.2 GA a trav\u00e9s del fixpack 20, 7.1 GA a trav\u00e9s del fixpack 28, 7.0 GA a trav\u00e9s del fixpack 102 y 6.2 GA a trav\u00e9s del fixpack 173 no protege lo suficiente contra ataques de Cross-Site Request Forgery (CSRF), que permiten a atacantes remotos ejecutar scripts de Groovy arbitrarios a trav\u00e9s de una URL manipulada o una vulnerabilidad XSS."
}
],
"id": "CVE-2024-8980",
"lastModified": "2024-12-10T21:07:09.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T15:15:07.337",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 12:15
Modified
2024-11-21 08:22
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "6F20D93D-7FB2-4D5F-9249-4DECDE473C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "CF0821E5-B6E5-44E6-9CF7-77EAE982F677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "1B24B6A1-8439-49D6-8E78-193144F3DCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "7E82A6CC-891C-4619-84EA-0DA96E4043C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "70E12054-0DEE-4B92-B8F6-7DC4B2461113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "3B566A51-3EFC-4A08-8A4F-A9AA43FBE481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "FE1A8781-6B16-4D37-B556-36B99CBCA9F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "3EE11B43-1629-4A22-BE88-0AFB2DFC528C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "10FC6F33-C031-40A4-AFAF-B5CF30F79E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "99B99578-CACE-47D2-9C1E-A7BBD2B6F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "950D98A8-88EE-4C99-817B-C418071B2819",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "F86FF50F-B21A-4B6E-88B8-90D0C042E942",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "CE0E1891-6E76-4069-B412-43B5E5379E0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "404F5FFE-2758-452F-9297-40E0533C6FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "3F5B7E72-8D62-464A-AA82-CBE2625C7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "4FA67C68-3E8E-4383-967F-A1FA55AE4897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "F220793A-FDAC-48C6-B299-39EB3BC077A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "F095A9E1-5FE1-46C4-B0E1-97F8767439D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "DFD748DD-6FDB-44CD-96BF-026D18CE4207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "0A34F2EA-D0F7-4C9B-BFE6-DA334DFD0EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "4B3C2426-7617-4535-B86A-7F9BA45DFD0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_29:*:*:*:*:*:*",
"matchCriteriaId": "88A5CBCE-2BAE-44C7-A7BF-BC30C89839BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "CA6B2500-42E4-4F87-8B93-2F7399B4F611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "28955834-8E02-4558-ABD3-4958DBB41423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_31:*:*:*:*:*:*",
"matchCriteriaId": "89B4F926-5018-4C50-9569-A92BEA6364A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_32:*:*:*:*:*:*",
"matchCriteriaId": "863C4DBB-9BA2-4A13-8394-08AC500D552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "C4206C84-C4BD-4363-A4CA-EE229CE06319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_34:*:*:*:*:*:*",
"matchCriteriaId": "54CA9915-54C2-4E7F-85AF-781CA0A63A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "4F644864-1056-4A0C-ADD7-A1992A0AC07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "91E9BAE9-CD40-4353-95DB-7D9ADC338F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_37:*:*:*:*:*:*",
"matchCriteriaId": "C2A29CA0-66CB-4ED9-87B3-57A1C04F59F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_38:*:*:*:*:*:*",
"matchCriteriaId": "2BFC882E-25C2-46A3-A0DA-A779399A3A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "661E68A2-B365-4962-87CF-CE17A500889F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "D4094372-E950-4DE0-86D2-CE7F214FD3A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "A5D28279-002A-4BC7-9396-E47FC842D7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "C700ED72-4626-48A0-B1BB-E0A7C12D454F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "8F473DF1-F70D-4EDB-A011-C8D1C6A21659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "C2351EAC-F6AD-4611-B9BD-39C4DFE85B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "357845C1-3834-465A-B9CA-F9C604AA8242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "DD35964D-4156-45B8-A0AB-282DA9F4FA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "35656567-EF24-4948-A72A-C754D6E419B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "E9A3D95D-4539-432D-B241-376F312534AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "81F329F1-5BB1-42A7-98CE-B0EB5819D60A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "5B7111FA-9FD7-4952-AFE1-07D3E14854F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D35916F1-24AA-4BF3-8B1F-2361C5B815D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "2C7A080F-9C99-41A0-BC63-EBDDC0DF7B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "0383C4C4-A7BB-418D-9A98-AC4233722961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "AA281A20-7599-446B-9587-118E920403D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "9514E8F5-1D0B-4CDF-BD03-087326F6C252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "78BC7D6C-2A10-4F78-9C41-EA97665C246E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_55:*:*:*:*:*:*",
"matchCriteriaId": "B2C29B11-D87B-4D78-9D42-AD528C811080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "CA9BE427-78D7-4DEE-A174-F3E3675B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "6C10325C-8670-499B-B003-7D8634539C5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "5F692BEB-5CB1-41EA-B715-64AB0036F6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "427C4DF5-9039-4CB5-B600-5F965E20D945",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "EDEE4B40-889C-472E-AA91-7E1B4314EE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "44B7A2A2-5764-4EDB-AA44-25F8508CF128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "55D94917-5360-4179-A017-1287C63A6E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_62:*:*:*:*:*:*",
"matchCriteriaId": "52C5C76D-2572-4ADF-B7E4-7B3444935658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_63:*:*:*:*:*:*",
"matchCriteriaId": "9ABFC91A-7A8D-4A08-9464-F534BAA69B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "1D378A23-113D-47AC-9CB5-2658C357FFB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "58FB119E-508C-45F7-8AD8-B67AAAEA53D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "8B3359A5-D39B-4322-8963-B138D791D232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "E11E2FBD-7541-4CE3-8A78-52FB82571547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "3883F470-8D8D-4CB3-BF4A-0C401BDABC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "1BDCF010-04BF-4FA5-9E14-F6461FED3FFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "3867FDAA-354E-4D2F-A260-27F31CA44C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "7E8CEA39-4A7F-4827-91FA-31119201D174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "D3768AC9-A245-4B81-8D1D-9D9C5354245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "71CA65C9-C0FC-4CBD-A8B0-DD72604A46F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "9F06DECA-F45D-49DA-BB24-AA1F0306B0B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_74:*:*:*:*:*:*",
"matchCriteriaId": "3BA69ED9-28FA-40B5-84F9-0FFE40DFC675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "6FF2D31F-8719-41A6-ADD5-15BE9409428E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "DE56F5E5-73CF-4636-9F98-86BDDA3F6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_77:*:*:*:*:*:*",
"matchCriteriaId": "CE4885B1-F912-4D06-8179-830FC011F3F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "A1A0EFCE-4B74-4B4D-AB6E-5730F26B38FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "F02DCC86-C3F7-482C-9BFB-B7971FB10AEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "A89B7EE4-57FD-4B09-841A-ABC9990FF88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "06835B0A-A2DF-44D3-A38F-59E5D5523FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "B746D0CF-76F6-42A1-9056-CA9622DCD806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "FFC33A7E-B1CB-4E83-B75C-71F5E7E5E406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67C00B28-3F41-49FA-87E0-130F77235C05",
"versionEndExcluding": "7.4.3.88",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page\u0027s \u2018Content\u2019 text field."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el widget Wiki en Liferay Portal 7.1.0 a 7.4.3.87 y Liferay DXP 7.0 fixpack 83 a 102, 7.1 fixpack 28 y anteriores, 7.2 fixpack 20 y anteriores, actualizaci\u00f3n 7.3 33 y anteriores, y 7.4 anterior a la actualizaci\u00f3n 88 permite a atacantes remotos inyectar scripts web o HTML arbitrarios en una p\u00e1gina wiki principal a trav\u00e9s de un payload manipulado inyectado en el campo de texto \u0027Content\u0027 de una p\u00e1gina wiki."
}
],
"id": "CVE-2023-42628",
"lastModified": "2024-11-21T08:22:50.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T12:15:10.043",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628"
},
{
"source": "security@liferay.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-27 17:08
Modified
2024-11-21 03:18
Severity ?
Summary
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cxsecurity.com/issue/WLB-2017120169 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cxsecurity.com/issue/WLB-2017120169 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 6.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEB2CD12-1878-45DA-9B67-51BC1A369568",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag."
},
{
"lang": "es",
"value": "En Liferay Portal 6.1.0, la selecci\u00f3n de etiquetas contiene CSS mediante un valor Public Render Parameter (p_r_p), tal y como lo demuestra p_r_p_564233524_tag."
}
],
"id": "CVE-2017-17868",
"lastModified": "2024-11-21T03:18:51.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-27T17:08:20.670",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2017120169"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2017120169"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-15 16:15
Modified
2024-11-21 06:54
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | liferay_portal | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB6925E4-FA62-46FB-ABAA-EAA5B7A4D409",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field\u0027s help text to (1) Forms module\u0027s form builder, or (2) App Builder module\u0027s object form view\u0027s form builder."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versiones 7.3.5 hasta 7.4.0 y Liferay DXP versiones 7.3 anteriores a service pack 3, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del texto de ayuda de un campo de formulario en (1) el constructor de formularios del m\u00f3dulo Forms, o (2) el constructor de formularios de la vista de formularios de objetos del m\u00f3dulo App Builder"
}
],
"id": "CVE-2022-26594",
"lastModified": "2024-11-21T06:54:10.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-15T16:15:07.820",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-text"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BC18F4F-2284-4E3E-B8AC-8EDE1649C635",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "0058B9A5-7864-4356-ADBA-C9AF1BB74836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*",
"matchCriteriaId": "186D21EA-CD15-4F50-B129-6EF8DCB4FE50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DAC6B76-A5D8-4164-8DF8-1058858F78EE",
"versionEndExcluding": "7.4.3.25",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Portal Search module\u0027s Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el widget Sort del m\u00f3dulo Portal Search en Liferay Portal versiones 7.2.0 hasta 7.4.3.24, y Liferay DXP 7.2 versiones anteriores a fix pack 19, 7.3 anteriores a update 5, y DXP versiones 7.4 anteriores a update 25, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio de una carga \u00fatil dise\u00f1ada"
}
],
"id": "CVE-2022-42112",
"lastModified": "2024-11-21T07:24:22.823",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-19 13:15
Modified
2024-11-21 06:54
Severity ?
Summary
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.2 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | liferay_portal | 7.3.7 | |
| liferay | liferay_portal | 7.4.0 | |
| liferay | liferay_portal | 7.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "174B6D58-FBEA-4D06-8FBA-DE08B0DC6111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A59A2D6-8E6C-4436-B1CC-D99C6A539E69",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user\u0027s site membership assignment UI."
},
{
"lang": "es",
"value": "Liferay Portal versiones 7.3.7, 7.4.0, y 7.4.1, y Liferay DXP versiones 7.2 fix pack 13, y 7.3 fix pack 2 no comprueban apropiadamente los permisos de usuarios cuando acceden a una lista de sitios/grupos, lo que permite a usuarios remotos autenticados visualizar sitios/grupos por medio de la UI de asignaci\u00f3n de miembros del sitio del usuario"
}
],
"id": "CVE-2022-26595",
"lastModified": "2024-11-21T06:54:11.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-19T13:15:08.443",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 21:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17039 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17039 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0EE0C481-59B8-4C1D-897D-18AAD8C08F8E",
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms \"Access in Site Administration\" permission to view all forms and form entries in a site via the forms section in site administration."
},
{
"lang": "es",
"value": "El m\u00f3dulo Dynamic Data Mapping en Liferay Portal versiones 7.0.0 hasta 7.3.2, y Liferay DXP versiones 7.0 anteriores a fix pack 94, versiones 7.1 anteriores a fix pack 19, y versiones 7.2 anteriores a fix pack 6, no comprueba apropiadamente los permisos de usuario, que permite a atacantes remotos con permiso de formularios \"Access in Site Administration\" visualizar todos los formularios y entradas de formularios en un sitio por medio de la secci\u00f3n de formularios en la administraci\u00f3n del sitio"
}
],
"id": "CVE-2021-33334",
"lastModified": "2024-11-21T06:08:42.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T21:15:08.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17039"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17039"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-22 15:15
Modified
2024-12-10 21:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "935D404E-76A6-4405-8A74-0E70E50C3FCC",
"versionEndExcluding": "2023.q3.6",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3758E9CF-12EC-4025-85BB-1D5EEA99359A",
"versionEndExcluding": "2023.q4.3",
"versionStartIncluding": "2023.q4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2C2272-3E19-4836-BCA5-660208D5985D",
"versionEndIncluding": "7.3.7",
"versionStartIncluding": "7.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D23EB185-798C-4F89-8AAA-6D229BCD8BA4",
"versionEndExcluding": "7.4.3.108",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter."
},
{
"lang": "es",
"value": " La vulnerabilidad de Cross-Site Request Forgery (CSRF) en el editor de p\u00e1ginas de contenido en Liferay Portal 7.3.2 a 7.4.3.107, y Liferay DXP 2023.Q4.0 a 2023.Q4.2, 2023.Q3.1 a 2023.Q3.5, 7.4 GA a la actualizaci\u00f3n 92 y 7.3 GA a la actualizaci\u00f3n 35 permite a atacantes remotos (1) cambiar las contrase\u00f1as de los usuarios, (2) apagar el servidor, (3) ejecutar c\u00f3digo arbitrario en la consola de scripts, (4) y realizar otras acciones administrativas a trav\u00e9s del par\u00e1metro p_l_back_url."
}
],
"id": "CVE-2024-26272",
"lastModified": "2024-12-10T21:07:02.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T15:15:05.740",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26272"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0B6536-11D4-48A1-8EC8-FCDFFFD07540",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FEE38F-02E9-4801-9030-DFC4223C0E60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*",
"matchCriteriaId": "186D21EA-CD15-4F50-B129-6EF8DCB4FE50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E947128-538F-48C9-98F4-339C0760C6FC",
"versionEndIncluding": "7.4.3.16",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Frontend Taglib en Liferay Portal versiones 7.3.2 hasta 7.4.3.16, y Liferay DXP versiones 7.3 anteriores a update 6, y versiones 7.4 anteriores a 17, permite a atacantes remotos inyectar script web o HTML arbitrarios"
}
],
"id": "CVE-2022-42117",
"lastModified": "2024-11-21T07:24:23.603",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.413",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42117"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42117"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_30:*:*:*:*:*:*",
"matchCriteriaId": "D372D9B9-5A83-4FF8-8DE5-617D99D1A8B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_31:*:*:*:*:*:*",
"matchCriteriaId": "7519ABB1-57A7-46F1-97FC-DD44787F2B6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_32:*:*:*:*:*:*",
"matchCriteriaId": "87BD916B-245C-4D62-B595-1985784C2ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_33:*:*:*:*:*:*",
"matchCriteriaId": "841E15A8-0819-4E48-B7E3-3ACCB4C1F43B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_34:*:*:*:*:*:*",
"matchCriteriaId": "91A243D9-7633-4836-B72D-75EF6C0F8876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_35:*:*:*:*:*:*",
"matchCriteriaId": "6E2B1876-78B1-407A-9392-94FFF33AC803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_36:*:*:*:*:*:*",
"matchCriteriaId": "4C6BBDC0-9D68-4653-9177-E49B847B04ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4595361-88D2-42D7-8B52-295572A474E4",
"versionEndExcluding": "7.4.3.37",
"versionStartIncluding": "7.4.3.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el m\u00f3dulo Document Library de Liferay Portal versiones 7.4.3.30 hasta 7.4.3.36, y Liferay DXP versiones 7.4 update 30 hasta update 36, permite a atacantes remotos inyectar script web o HTML arbitrarios por medio del par\u00e1metro \"redirect\""
}
],
"id": "CVE-2022-42113",
"lastModified": "2024-11-21T07:24:22.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42113"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-15 05:15
Modified
2024-11-21 08:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_70:*:*:*:*:*:*",
"matchCriteriaId": "3A210A40-99B5-40D6-BBB8-E0E30FADED2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_71:*:*:*:*:*:*",
"matchCriteriaId": "9ED1C984-729C-4994-B041-12AD82ABB7FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_72:*:*:*:*:*:*",
"matchCriteriaId": "998F01FB-913B-4224-8413-D62ACCF570E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_73:*:*:*:*:*:*",
"matchCriteriaId": "F18E6353-E96E-4FD6-8CEE-28A30C70AC82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_74:*:*:*:*:*:*",
"matchCriteriaId": "6102A1C7-26E5-4830-A87F-C7142671261E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_75:*:*:*:*:*:*",
"matchCriteriaId": "57374266-D3DA-4E50-8B4B-19ED8343AC9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_76:*:*:*:*:*:*",
"matchCriteriaId": "93CCCAAE-8B59-4F59-91E9-860F4313521C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9014083-2E75-4403-9C1D-C4F07C8DB877",
"versionEndExcluding": "7.4.3.77",
"versionStartIncluding": "7.4.3.70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"id": "CVE-2023-35030",
"lastModified": "2024-11-21T08:07:50.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-15T05:15:09.857",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:51
Severity ?
Summary
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps | Vendor Advisory | |
| cve@mitre.org | https://www.securitum.pl | Not Applicable, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securitum.pl | Not Applicable, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8",
"versionEndIncluding": "7.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D590E39-35BB-476C-B08E-ABFDF4C201BF",
"versionEndExcluding": "7.4.3.9",
"versionStartIncluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message."
},
{
"lang": "es",
"value": "El m\u00f3dulo Remote App en Liferay Portal Liferay Portal v7.4.3.4 hasta v7.4.3.8 y Liferay DXP 7.4 antes de la actualizaci\u00f3n 5 no comprueba si el origen de los mensajes de evento que recibe coincide con el origen de la Remote App, permitiendo a los atacantes exfiltrar el token CSRF a trav\u00e9s de un mensaje de evento crafteado"
}
],
"id": "CVE-2022-25146",
"lastModified": "2024-11-21T06:51:41.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:08.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable",
"Third Party Advisory"
],
"url": "https://www.securitum.pl"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Third Party Advisory"
],
"url": "https://www.securitum.pl"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0B6536-11D4-48A1-8EC8-FCDFFFD07540",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*",
"matchCriteriaId": "186D21EA-CD15-4F50-B129-6EF8DCB4FE50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC7AD5B-063F-4C30-A9D9-08C3F90185D9",
"versionEndExcluding": "7.4.3.15",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Frontend Editor module\u0027s integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-site scripting (XSS) en la integraci\u00f3n del m\u00f3dulo Frontend Editor con CKEditor en Liferay Portal versiones 7.3.2 hasta 7.4.3.14, y Liferay DXP versiones 7.3 anteriores a update 6, y versiones 7.4 anteriores a update 15, permite a atacantes remotos inyectar script web o HTML arbitrarios por medio del par\u00e1metro (1) name, o (2) namespace"
}
],
"id": "CVE-2022-42116",
"lastModified": "2024-11-21T07:24:23.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42116"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42116"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-07 17:15
Modified
2024-11-21 05:18
Severity ?
Summary
Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.1.3 | |
| liferay | liferay_portal | 7.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D4F0F84D-C666-4C8F-9E6A-2C66E1797CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B795544D-19A9-47A6-B464-CE738F30378B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload."
},
{
"lang": "es",
"value": "Liferay CMS Portal versiones 7.1.3 y 7.2.1, presenta una vulnerabilidad de tipo cross-site scripting (XSS) persistente ciego en el par\u00e1metro user name en Calendario.\u0026#xa0;Un atacante puede insertar una carga \u00fatil maliciosa en los campos username, lastname o surname de su propio perfil, y la carga \u00fatil maliciosa ser\u00e1 inyectada y reflejada en el calendario del usuario que envi\u00f3 la carga \u00fatil.\u0026#xa0;Un atacante podr\u00eda escalar sus privilegios en caso de que un administrador visite el calendario que inyect\u00f3 la carga \u00fatil"
}
],
"id": "CVE-2020-25476",
"lastModified": "2024-11-21T05:18:02.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-07T17:15:12.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 07:15
Modified
2024-12-10 23:03
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69440C19-B9E7-41F3-B731-B5C7E37C718A",
"versionEndExcluding": "7.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the \"Limit membership to members of the parent site\" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site."
},
{
"lang": "es",
"value": "Liferay Portal 7.2.0 a 7.4.1 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al service pack 3, 7.2 anterior al fix pack 15 y versiones anteriores no compatibles no restringen adecuadamente la membres\u00eda de un sitio secundario cuando la opci\u00f3n \"Limitar membres\u00eda a miembros del sitio principal\" est\u00e1 habilitada, lo que permite a los usuarios autenticados remotamente agregar usuarios que no son miembros del sitio principal a un sitio secundario. El usuario agregado puede obtener permiso para realizar acciones no autorizadas en el sitio secundario."
}
],
"id": "CVE-2024-25149",
"lastModified": "2024-12-10T23:03:54.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T07:15:10.557",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17001 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17001 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81929C82-CE15-45AC-94D6-7B6906C9112E",
"versionEndExcluding": "7.3.2",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site\u0027s page administration."
},
{
"lang": "es",
"value": "El m\u00f3dulo Layout en Liferay Portal versiones 7.1.0 hasta 7.3.1, y Liferay DXP versiones 7.1 anterior a fix pack 20, y versiones 7.2 anterior a fix pack 5, no comprueba apropiadamente los permisos de las p\u00e1ginas, que permite a usuarios autenticados remotos sin permiso de visualizaci\u00f3n de una p\u00e1gina visualizar la p\u00e1gina por medio de la administraci\u00f3n de p\u00e1ginas de un sitio"
}
],
"id": "CVE-2021-33324",
"lastModified": "2024-11-21T06:08:41.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17001"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-03 20:29
Modified
2024-11-21 04:46
Severity ?
Summary
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "FA36613B-2934-4328-8D79-DA2E4DCAA21C",
"versionEndIncluding": "6.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "5FFE793D-A9F8-478A-A05C-8ADD376741E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "6BA0C52D-BBB8-4A86-A96D-4BDCD29FB758",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "4FE5AB24-2D11-410B-ADF5-44B67CA98832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "5B726B37-50BC-47A8-8FDF-7A66E855014F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "BB738110-EB09-42DE-98DA-12BE32DE57C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "1FB09531-2DD2-475C-BD22-E97901F56B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "DAFF5639-E14B-4DDF-9B3E-AB1C410A8F20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "C0683FB5-212D-4FD7-A4B1-8900D909086E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "472FA08E-1641-4D12-86D2-C4615B722310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "001AF786-5DD2-4797-8740-31060A6A03A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "9CA31B62-A9E2-478D-8CCA-F1923875CB9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "87572B01-6964-497B-A77D-269E020FA4F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "9D4C3B3F-6125-455D-8A43-4E55334D8951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "30204763-F5B5-4FD8-814C-FE699C05E8C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "D071ABF1-38D7-4381-9B8E-0A08C7DC66C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "11DB0072-E95D-4A3F-A7EE-24FE395DA95F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "A8D0B139-7982-4F35-A35E-CDE00D949DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "61E60075-59B8-4555-893A-5C2A89D5F2DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "F692C4AF-6568-43D9-8EA8-AE6EFDFD76EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:*",
"matchCriteriaId": "7AC9FB0B-A24F-48FE-8DE7-9DF470064C9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:*",
"matchCriteriaId": "2DE10E9E-5A7F-4241-88E4-796E91260F00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:*",
"matchCriteriaId": "51EC8CDD-419B-4858-8FFB-91D0EF4496C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:*",
"matchCriteriaId": "0279FC7D-BF39-4CF6-BB80-2EE532D450E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "7DA37F01-82C9-4BF1-A349-861561AA3712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "CC404755-D472-4A0D-8922-4E1957A04E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "F9C0B6C3-0C26-4311-B472-4E3713A19152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E0F66C7B-9882-4E12-8D79-6BB5422B5946",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "AF1DBF1D-2344-4CDA-85EE-02A8F0B6F33D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "3FC682CE-28EF-440C-9E9F-2A69423E1935",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "B6B01EB4-F999-4F32-8BF1-9B763E0F05B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:*",
"matchCriteriaId": "D7FC066D-FDB1-4645-AC44-4256B2B41279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:*",
"matchCriteriaId": "96082BE8-24A1-401A-9965-B8C8C606184C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:*",
"matchCriteriaId": "CD5DC3C4-69C1-4346-8F65-90F08AAA90D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "EFDAD1AF-EC2F-4894-BA92-97A4B9E9ED1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "F243A741-E860-4EA5-ADB0-9AA0AAABF93D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "33CEF26A-3217-451C-9A27-B23B9C967B05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "E472E8E9-1AAB-4845-9F11-1B3C570EA73E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:*",
"matchCriteriaId": "27F6273D-20A8-401A-9499-490F5642BE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:*",
"matchCriteriaId": "2B5C7F9F-B8FB-4A7A-A433-E1C156A9A5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:*",
"matchCriteriaId": "B8549860-D2DE-49A3-B1A9-4D254E83BDDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3AA76510-6152-4F51-ACCC-8D6955EEDE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9F482A5E-B8A8-4F31-BF34-3C4105BADA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "104A6584-6D9B-42F7-BFDA-A2BE9D900B2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "4D781468-2FDA-47C7-B1CA-9845B20D5E1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "FA0F71E9-F6FE-4EEB-AF76-5EBB60D71067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "F3E37093-DE34-4002-8B89-942DD7F26F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "8A5B9B28-A6FC-4FB7-9071-B54AE4AB5EA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:*",
"matchCriteriaId": "3F92523D-3292-4E44-BB97-B97AE347CE15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "EEF7EDFF-BFC0-4006-9500-87BB76747146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "7EA79695-F8E9-4742-BF75-0C36B9D6233F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "9276ACC2-F339-4DF0-99B7-2897C6538F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E60E9992-7FB6-4963-BAB3-F1A124395E62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "ABD5E21F-1D23-48E0-9541-4D222703C634",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:*",
"matchCriteriaId": "1C54E49F-0886-4511-B205-98A982137DEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "D4DCCFCE-E56D-495D-B9C1-98FB7C96421D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "BBD777AB-DC4B-4860-A203-10FDA026CC4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "9C28A2C0-C7B8-4250-A0DC-AAA9D597EDD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "EF37F090-D1A1-476A-8477-2AF84977FED4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "E1A2043B-429C-4613-B155-E0DDBE385E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "5041C958-4211-41BE-9644-8A543ABD7BC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9085829A-0DFC-4E68-B2A2-88CC33773C84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "51EA228E-4463-4878-B4FB-B7443220E4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "A2CB2283-D0E1-405B-B3AB-685DD548575E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable."
},
{
"lang": "es",
"value": "En el Portal Liferay anterior a 7.1 CE GA4, existe una vulnerabilidad de XSS en la API SimpleCaptcha cuando el c\u00f3digo personalizado pasa una entrada sin autorizaci\u00f3n al par\u00e1metro \"url\" de la etiqueta de la etiqueta JSP o . El comportamiento de Liferay Portal fuera de la caja sin personalizaciones no es vulnerable."
}
],
"id": "CVE-2019-6588",
"lastModified": "2024-11-21T04:46:45.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T20:29:01.547",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 02:39
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2503ABB2-4B09-4118-890B-02CD00535F27",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module\u0027s DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) almacenadas en el DDMForm del m\u00f3dulo Dynamic Data Mapping en Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 17, y las versiones anteriores no compatibles permiten a los usuarios autenticados remotamente inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metrostanceId."
}
],
"id": "CVE-2024-25603",
"lastModified": "2025-01-28T02:39:55.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:09.173",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-17 06:15
Modified
2024-11-21 08:30
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "510821D4-AC27-412A-975E-A900CECADACD",
"versionEndIncluding": "7.4.3.95",
"versionStartIncluding": "7.4.3.94",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability on a content page\u2019s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada en la p\u00e1gina de edici\u00f3n de una p\u00e1gina de contenido en Liferay Portal v7.4.3.94 hasta v7.4.3.95 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metro `p_l_back_url_title`."
}
],
"id": "CVE-2023-47797",
"lastModified": "2024-11-21T08:30:49.477",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-17T06:15:34.230",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47797"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1708EE59-0B7D-409A-A906-26276641AF3A",
"versionEndIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "6F20D93D-7FB2-4D5F-9249-4DECDE473C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "CF0821E5-B6E5-44E6-9CF7-77EAE982F677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_100:*:*:*:*:*:*",
"matchCriteriaId": "8C9B7CF8-5553-47B6-BB57-0429D78AE301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "1B24B6A1-8439-49D6-8E78-193144F3DCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "7E82A6CC-891C-4619-84EA-0DA96E4043C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "70E12054-0DEE-4B92-B8F6-7DC4B2461113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "3B566A51-3EFC-4A08-8A4F-A9AA43FBE481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "FE1A8781-6B16-4D37-B556-36B99CBCA9F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "3EE11B43-1629-4A22-BE88-0AFB2DFC528C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "10FC6F33-C031-40A4-AFAF-B5CF30F79E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "99B99578-CACE-47D2-9C1E-A7BBD2B6F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "950D98A8-88EE-4C99-817B-C418071B2819",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "F86FF50F-B21A-4B6E-88B8-90D0C042E942",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "CE0E1891-6E76-4069-B412-43B5E5379E0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "404F5FFE-2758-452F-9297-40E0533C6FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "3F5B7E72-8D62-464A-AA82-CBE2625C7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "4FA67C68-3E8E-4383-967F-A1FA55AE4897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "F220793A-FDAC-48C6-B299-39EB3BC077A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "F095A9E1-5FE1-46C4-B0E1-97F8767439D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "DFD748DD-6FDB-44CD-96BF-026D18CE4207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "0A34F2EA-D0F7-4C9B-BFE6-DA334DFD0EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "4B3C2426-7617-4535-B86A-7F9BA45DFD0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_29:*:*:*:*:*:*",
"matchCriteriaId": "88A5CBCE-2BAE-44C7-A7BF-BC30C89839BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "CA6B2500-42E4-4F87-8B93-2F7399B4F611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "28955834-8E02-4558-ABD3-4958DBB41423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_31:*:*:*:*:*:*",
"matchCriteriaId": "89B4F926-5018-4C50-9569-A92BEA6364A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_32:*:*:*:*:*:*",
"matchCriteriaId": "863C4DBB-9BA2-4A13-8394-08AC500D552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "C4206C84-C4BD-4363-A4CA-EE229CE06319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_34:*:*:*:*:*:*",
"matchCriteriaId": "54CA9915-54C2-4E7F-85AF-781CA0A63A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "4F644864-1056-4A0C-ADD7-A1992A0AC07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "91E9BAE9-CD40-4353-95DB-7D9ADC338F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_37:*:*:*:*:*:*",
"matchCriteriaId": "C2A29CA0-66CB-4ED9-87B3-57A1C04F59F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_38:*:*:*:*:*:*",
"matchCriteriaId": "2BFC882E-25C2-46A3-A0DA-A779399A3A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "661E68A2-B365-4962-87CF-CE17A500889F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "D4094372-E950-4DE0-86D2-CE7F214FD3A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "A5D28279-002A-4BC7-9396-E47FC842D7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "C700ED72-4626-48A0-B1BB-E0A7C12D454F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "8F473DF1-F70D-4EDB-A011-C8D1C6A21659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "C2351EAC-F6AD-4611-B9BD-39C4DFE85B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "357845C1-3834-465A-B9CA-F9C604AA8242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "DD35964D-4156-45B8-A0AB-282DA9F4FA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "35656567-EF24-4948-A72A-C754D6E419B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "E9A3D95D-4539-432D-B241-376F312534AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "81F329F1-5BB1-42A7-98CE-B0EB5819D60A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "5B7111FA-9FD7-4952-AFE1-07D3E14854F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D35916F1-24AA-4BF3-8B1F-2361C5B815D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "2C7A080F-9C99-41A0-BC63-EBDDC0DF7B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "0383C4C4-A7BB-418D-9A98-AC4233722961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "AA281A20-7599-446B-9587-118E920403D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "9514E8F5-1D0B-4CDF-BD03-087326F6C252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "78BC7D6C-2A10-4F78-9C41-EA97665C246E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_55:*:*:*:*:*:*",
"matchCriteriaId": "B2C29B11-D87B-4D78-9D42-AD528C811080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "CA9BE427-78D7-4DEE-A174-F3E3675B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "6C10325C-8670-499B-B003-7D8634539C5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "5F692BEB-5CB1-41EA-B715-64AB0036F6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "427C4DF5-9039-4CB5-B600-5F965E20D945",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "EDEE4B40-889C-472E-AA91-7E1B4314EE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "44B7A2A2-5764-4EDB-AA44-25F8508CF128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "55D94917-5360-4179-A017-1287C63A6E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_62:*:*:*:*:*:*",
"matchCriteriaId": "52C5C76D-2572-4ADF-B7E4-7B3444935658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_63:*:*:*:*:*:*",
"matchCriteriaId": "9ABFC91A-7A8D-4A08-9464-F534BAA69B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "1D378A23-113D-47AC-9CB5-2658C357FFB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "58FB119E-508C-45F7-8AD8-B67AAAEA53D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "8B3359A5-D39B-4322-8963-B138D791D232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "E11E2FBD-7541-4CE3-8A78-52FB82571547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "3883F470-8D8D-4CB3-BF4A-0C401BDABC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "1BDCF010-04BF-4FA5-9E14-F6461FED3FFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "3867FDAA-354E-4D2F-A260-27F31CA44C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "7E8CEA39-4A7F-4827-91FA-31119201D174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "D3768AC9-A245-4B81-8D1D-9D9C5354245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "71CA65C9-C0FC-4CBD-A8B0-DD72604A46F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "9F06DECA-F45D-49DA-BB24-AA1F0306B0B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_74:*:*:*:*:*:*",
"matchCriteriaId": "3BA69ED9-28FA-40B5-84F9-0FFE40DFC675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "6FF2D31F-8719-41A6-ADD5-15BE9409428E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "DE56F5E5-73CF-4636-9F98-86BDDA3F6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_77:*:*:*:*:*:*",
"matchCriteriaId": "CE4885B1-F912-4D06-8179-830FC011F3F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "A1A0EFCE-4B74-4B4D-AB6E-5730F26B38FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "F02DCC86-C3F7-482C-9BFB-B7971FB10AEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "A89B7EE4-57FD-4B09-841A-ABC9990FF88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "06835B0A-A2DF-44D3-A38F-59E5D5523FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "B746D0CF-76F6-42A1-9056-CA9622DCD806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "FFC33A7E-B1CB-4E83-B75C-71F5E7E5E406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "325CFFCF-1609-4D89-B6A8-1C6ACBFDD35B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "BD019A57-FC7A-4B1F-9946-FA15C90FC985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "A6B2CD3A-C39C-4F9A-8602-3EC75472181D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "1B8DCD85-0E47-44C1-B7DD-E1B4756CEC17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "1790D974-2EE0-4405-8F26-BB6DB3BDA23B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "416B3F04-AD86-4F91-890E-56BA539AAB06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "C12C0E4D-4E9A-4BD7-926E-74BCD42595B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "655A3A6A-A3EB-4864-B64D-2319E5CF7DA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "9A659FEF-1BC1-45E8-A01E-1F9A8F2AFAAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "3810319D-7DC4-47DD-B568-B0504DBC8209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "D9BFFFC0-912A-4F95-A08E-1D264135D1E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "9EA924E7-DEF2-45BF-B435-C435AC20AF4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "E6809C30-9A81-45E6-92E9-01D54880EFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "C194ACCD-CB7E-4DFC-ABB5-7CCEFD83E11B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "69856C3C-2ACB-4718-821C-793118094985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_97:*:*:*:*:*:*",
"matchCriteriaId": "8693CC24-CEF6-4479-A3DA-8FD5C73E9548",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_98:*:*:*:*:*:*",
"matchCriteriaId": "B1A95A94-83C6-4DCC-8208-B76B53678B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_99:*:*:*:*:*:*",
"matchCriteriaId": "A1831C4F-7887-489E-91C1-3997114917DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Server module\u0027s script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script."
},
{
"lang": "es",
"value": "La vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la consola de secuencias de comandos del m\u00f3dulo Server en Liferay Portal 7.3.2 y anteriores, y Liferay DXP 7.0 antes del paquete de correcciones 101, 7.1 antes del paquete de correcciones 20 y 7.2 antes del paquete de correcciones 10 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a trav\u00e9s de la salida de una secuencia de comandos"
}
],
"id": "CVE-2021-38263",
"lastModified": "2024-11-21T06:16:41.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:07.933",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17061"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 14:15
Modified
2024-11-21 08:06
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "324106E0-0AA8-42EB-80C7-21AC59ECDC57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52877E3A-4E07-4B14-BABC-B70266FEFEDE",
"versionEndIncluding": "7.4.0",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the App Builder module\u0027s custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object\u0027s `Name` field."
}
],
"id": "CVE-2023-33938",
"lastModified": "2024-11-21T08:06:14.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T14:15:09.550",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE688932-9AFE-4F7C-9856-22E315265C1F",
"versionEndExcluding": "7.4.3.37",
"versionStartIncluding": "7.4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page."
},
{
"lang": "es",
"value": "El m\u00f3dulo URL Amigables en Liferay Portal v7.4.3.5 a 7.4.3.36 y Liferay DXP 7.4 actualizaciones 1 a 36 no verifica adecuadamente los permisos de usuario, lo que permite a atacantes remotos obtener el historial de todas las URL amigables que se asignaron a una p\u00e1gina."
}
],
"id": "CVE-2022-42127",
"lastModified": "2024-11-21T07:24:25.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17607"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/brianchandotcom/liferay-portal/pull/48901 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/brianchandotcom/liferay-portal/pull/48901 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un t\u00edtulo de art\u00edculo de Knowledge Base."
}
],
"id": "CVE-2017-12647",
"lastModified": "2024-11-21T03:09:58.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/48901"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/48901"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 15:15
Modified
2024-11-21 08:06
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CE9EC98-8A74-4024-A1EA-8E1CF2F3E832",
"versionEndIncluding": "7.4.3.52",
"versionStartIncluding": "7.4.3.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module\u0027s OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter."
}
],
"id": "CVE-2023-33941",
"lastModified": "2024-11-21T08:06:15.363",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T15:15:09.697",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33941"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33941"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 11:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A622610B-E145-43E4-AFC6-A4A196296301",
"versionEndIncluding": "7.3.5",
"versionStartIncluding": "7.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Redirect module\u0027s redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la p\u00e1gina de administraci\u00f3n de redireccionamiento del m\u00f3dulo Redirect en Liferay Portal versiones 7.3.2 hasta 7.3.5, y Liferay DXP versiones 7.3 anteriores a fixpack 1, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio del par\u00e1metro _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL"
}
],
"id": "CVE-2021-29045",
"lastModified": "2024-11-21T06:00:35.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T11:15:07.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743484"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 00:15
Modified
2024-11-21 06:58
Severity ?
Summary
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_100:*:*:*:*:*:*",
"matchCriteriaId": "410D1A51-448F-4E98-BC20-8AB63E4008A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_101:*:*:*:*:*:*",
"matchCriteriaId": "614C805B-94C4-4486-B791-59DAB1906EB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "A775E68D-A18E-433F-A9D0-AB6E71495936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_97:*:*:*:*:*:*",
"matchCriteriaId": "20CB9AD9-57B1-45E1-B228-EEB4E8615B57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_98:*:*:*:*:*:*",
"matchCriteriaId": "DEAB4602-D612-4568-9579-5FA3840E415A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_99:*:*:*:*:*:*",
"matchCriteriaId": "C3BDD320-6142-45BA-A57E-965507A1F76F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48765E9D-CDEE-4648-A15F-404BDB51CABD",
"versionEndExcluding": "7.4.2",
"versionStartIncluding": "7.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in the Site module\u0027s user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user\u0027s name."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) Almacenado en la p\u00e1gina de administraci\u00f3n de la membres\u00eda del usuario del m\u00f3dulo Site en Liferay Portal versiones 7.0.1 hasta 7.4.1, y Liferay DXP versi\u00f3n 7.0 versiones anteriores a fix pack 102, 7.1 anteriores a fix pack 26, 7.2 anteriores a fix pack 15, y 7.3 anteriores a service pack 3, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del nombre de un usuario"
}
],
"id": "CVE-2022-28978",
"lastModified": "2024-11-21T06:58:16.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T00:15:09.603",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 01:15
Modified
2024-11-21 06:58
Severity ?
Summary
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.0 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_100:*:*:*:*:*:*",
"matchCriteriaId": "410D1A51-448F-4E98-BC20-8AB63E4008A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_101:*:*:*:*:*:*",
"matchCriteriaId": "614C805B-94C4-4486-B791-59DAB1906EB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "A775E68D-A18E-433F-A9D0-AB6E71495936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_97:*:*:*:*:*:*",
"matchCriteriaId": "20CB9AD9-57B1-45E1-B228-EEB4E8615B57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_98:*:*:*:*:*:*",
"matchCriteriaId": "DEAB4602-D612-4568-9579-5FA3840E415A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_99:*:*:*:*:*:*",
"matchCriteriaId": "C3BDD320-6142-45BA-A57E-965507A1F76F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E35E99-E5B4-4A85-84CE-3139AFF96B85",
"versionEndExcluding": "7.4.3.4",
"versionStartIncluding": "7.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect."
},
{
"lang": "es",
"value": "El archivo HtmlUtil.escapeRedirect en Liferay Portal versiones 7.3.1 hasta 7.4.2, y Liferay DXP versiones 7.0 fix pack 91 hasta 101, 7.1 fix pack 17 hasta 25, 7.2 fix pack 5 hasta 14, y 7. 3 anteriores a service pack 3, puede ser omitido mediante el uso de m\u00faltiples barras diagonales, lo que permite a atacantes remotos redirigir a usuarios a URLs externas arbitrarias por medio del par\u00e1metro (1) \"redirect\" (2) \"FORWARD_URL\" y (3) otros par\u00e1metros que dependen de HtmlUtil.escapeRedirect"
}
],
"id": "CVE-2022-28977",
"lastModified": "2024-11-21T06:58:16.517",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T01:15:10.753",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-02 10:15
Modified
2024-11-21 08:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@liferay.com | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426 | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426 | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43BF2B31-48F4-4E42-BB8E-CAA891964ED5",
"versionEndIncluding": "7.4.3.85",
"versionStartIncluding": "7.4.3.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations."
},
{
"lang": "es",
"value": "El selector de organizaciones en Liferay Portal v7.4.3.81 a v7.4.3.85 y Liferay DXP v7.4 actualizaci\u00f3n 81 a 85 no comprueba el permiso del usuario, lo que permite a usuarios remotos autenticados obtener una lista de todas las organizaciones. "
}
],
"id": "CVE-2023-3426",
"lastModified": "2024-11-21T08:17:14.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-02T10:15:09.887",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 11:15
Modified
2024-11-21 06:00
Severity ?
Summary
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "A775E68D-A18E-433F-A9D0-AB6E71495936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E447EF84-77FA-448B-8E40-DB216B9B715E",
"versionEndIncluding": "7.3.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store\u0027s proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing."
},
{
"lang": "es",
"value": "El m\u00f3dulo Portal Store en Liferay Portal versiones 7.0.0 hasta 7.3.5 y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 21, versiones 7.2 anteriores al fixpack 10 y versiones 7.3 anteriores a fixpack 1, no oculta la contrase\u00f1a de proxy de la tienda S3, el cual permite a atacantes robar la contrase\u00f1a del proxy por medio de ataques de tipo man-in-the-middle o navegaci\u00f3n lateral"
}
],
"id": "CVE-2021-29043",
"lastModified": "2024-11-21T06:00:34.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T11:15:07.127",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743515"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-07 15:15
Modified
2024-11-21 09:00
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73595C28-A21B-4C48-A326-33B0159B37A1",
"versionEndExcluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7CAF8FC-6334-48FD-A3E0-83EE307A5210",
"versionEndIncluding": "7.2.1",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50D9A45F-2E4E-4371-9835-014E603F2792",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images."
},
{
"lang": "es",
"value": "Document and Media widget In Liferay Portal 7.2.0 a 7.3.6 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 13 y versiones anteriores no compatibles, no limita el consumo de recursos al generar una vista previa image, que permite a los usuarios autenticados remotamente provocar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de im\u00e1genes PNG manipuladas."
}
],
"id": "CVE-2024-25143",
"lastModified": "2024-11-21T09:00:20.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-07T15:15:08.907",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 04:15
Modified
2025-01-28 02:28
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC2000D2-4B65-4EAF-B0D5-09DDC0255580",
"versionEndExcluding": "7.4.3.4",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user\u0027s name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver\u0027s mail client."
},
{
"lang": "es",
"value": "El m\u00f3dulo Calendario en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 15 y versiones anteriores no compatibles no escapa a los datos proporcionados por el usuario en la plantilla de correo electr\u00f3nico de notificaci\u00f3n predeterminada , que permite a los usuarios autenticados remotamente inyectar script web o HTML arbitrarios a trav\u00e9s del t\u00edtulo de un evento del calendario o el nombre del usuario. Esto puede dar lugar a ataques de suplantaci\u00f3n de contenido o de Cross-site scripting (XSS), dependiendo de la capacidad del cliente de correo del receptor."
}
],
"id": "CVE-2024-25151",
"lastModified": "2025-01-28T02:28:11.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T04:15:08.627",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-15 04:15
Modified
2024-11-21 08:07
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_70:*:*:*:*:*:*",
"matchCriteriaId": "3A210A40-99B5-40D6-BBB8-E0E30FADED2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_71:*:*:*:*:*:*",
"matchCriteriaId": "9ED1C984-729C-4994-B041-12AD82ABB7FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_72:*:*:*:*:*:*",
"matchCriteriaId": "998F01FB-913B-4224-8413-D62ACCF570E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_73:*:*:*:*:*:*",
"matchCriteriaId": "F18E6353-E96E-4FD6-8CEE-28A30C70AC82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_74:*:*:*:*:*:*",
"matchCriteriaId": "6102A1C7-26E5-4830-A87F-C7142671261E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_75:*:*:*:*:*:*",
"matchCriteriaId": "57374266-D3DA-4E50-8B4B-19ED8343AC9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_76:*:*:*:*:*:*",
"matchCriteriaId": "93CCCAAE-8B59-4F59-91E9-860F4313521C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9014083-2E75-4403-9C1D-C4F07C8DB877",
"versionEndExcluding": "7.4.3.77",
"versionStartIncluding": "7.4.3.70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter."
}
],
"id": "CVE-2023-35029",
"lastModified": "2024-11-21T08:07:50.590",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-15T04:15:34.513",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-25 16:16
Modified
2024-11-21 06:54
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF5BFC45-3970-43D5-A064-D8785677E26C",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52877E3A-4E07-4B14-BABC-B70266FEFEDE",
"versionEndIncluding": "7.4.0",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Layout module\u0027s Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la integraci\u00f3n de Open Graph del m\u00f3dulo Layout en Liferay Portal 7.3.0 hasta 7.4.0, y Liferay DXP 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web o HTML arbitrario por medio del nombre del sitio"
}
],
"id": "CVE-2022-26597",
"lastModified": "2024-11-21T06:54:11.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-25T16:16:09.113",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEC0D76-B15D-4F90-BE93-DF2575A159ED",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API."
},
{
"lang": "es",
"value": "El m\u00f3dulo Hypermedia REST APIs en Liferay Portal v7.4.1 a 7.4.3.4 y Liferay DXP 7.4 GA no comprueba correctamente los permisos, lo que permite a atacantes remotos obtener un objeto WikiNode a trav\u00e9s de la API WikiNodeResource.getSiteWikiNodeByExternalReferenceCode."
}
],
"id": "CVE-2022-42128",
"lastModified": "2024-11-21T07:24:25.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17595"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 00:15
Modified
2024-11-21 07:18
Severity ?
Summary
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_6:*:*:*:*:*:*",
"matchCriteriaId": "A7A399C4-6D4B-438C-9BAE-2893E457028A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_7:*:*:*:*:*:*",
"matchCriteriaId": "0CBACD88-B4F8-4496-9706-C666768AC9B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_8:*:*:*:*:*:*",
"matchCriteriaId": "510C440D-8B79-4685-8105-7A21A77CFC61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_9:*:*:*:*:*:*",
"matchCriteriaId": "89C1DF64-7F4B-4231-A0F5-E4760D7CE008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*",
"matchCriteriaId": "355DD7FC-E9C7-43D6-8313-0474AB314F18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*",
"matchCriteriaId": "B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*",
"matchCriteriaId": "683D063A-0E32-4E2D-8CBF-A57F45071F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*",
"matchCriteriaId": "7DFEBCAB-1D9B-4BED-A2C6-11BA863F1EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_29:*:*:*:*:*:*",
"matchCriteriaId": "DB8733C4-8CE4-4E4B-A2AE-919AA69DAF8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_30:*:*:*:*:*:*",
"matchCriteriaId": "D372D9B9-5A83-4FF8-8DE5-617D99D1A8B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_31:*:*:*:*:*:*",
"matchCriteriaId": "7519ABB1-57A7-46F1-97FC-DD44787F2B6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_32:*:*:*:*:*:*",
"matchCriteriaId": "87BD916B-245C-4D62-B595-1985784C2ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_33:*:*:*:*:*:*",
"matchCriteriaId": "841E15A8-0819-4E48-B7E3-3ACCB4C1F43B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_34:*:*:*:*:*:*",
"matchCriteriaId": "91A243D9-7633-4836-B72D-75EF6C0F8876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3D3F7B7-C39B-48E5-AD3A-1399B405F97B",
"versionEndExcluding": "7.4.3.35",
"versionStartIncluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a \"Content Page\" type page, allowing attackers to view unpublished \"Content Page\" pages via URL manipulation."
},
{
"lang": "es",
"value": "El m\u00f3dulo Layout en Liferay Portal versiones v7.3.3 hasta v7.4.3.34, y Liferay DXP versiones 7.3 anteriores a update 10, y 7.4 anteriores a update 35, no comprueba el permiso del usuario antes de mostrar la vista previa de una p\u00e1gina de tipo \"Content Page\", permitiendo a atacantes visualizar p\u00e1ginas de tipo \"Content Page\" no publicadas por medio de la manipulaci\u00f3n de la URL"
}
],
"id": "CVE-2022-39975",
"lastModified": "2024-11-21T07:18:35.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T00:15:10.310",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 16:15
Modified
2024-11-21 08:06
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADDAE58B-FC6A-496E-A655-92D78299FDFE",
"versionEndIncluding": "7.4.3.48",
"versionStartIncluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page."
}
],
"id": "CVE-2023-33946",
"lastModified": "2024-11-21T08:06:15.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T16:15:09.837",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-01 14:15
Modified
2024-11-21 05:14
Severity ?
Summary
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94896449-7A52-40D2-8E76-26DC60D7BA9A",
"versionEndExcluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist."
},
{
"lang": "es",
"value": "El m\u00f3dulo de redireccionamiento en Liferay Portal versiones anteriores a 7.3.3 no limita el numero de URLs resultando en un error 404 que es registrado, permitiendo a atacantes remotos llevar a cabo un ataque de denegaci\u00f3n de servicio al realizar peticiones repetidas de p\u00e1ginas que no existen"
}
],
"id": "CVE-2020-24554",
"lastModified": "2024-11-21T05:14:58.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-01T14:15:12.487",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784956"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 02:15
Modified
2025-01-28 21:26
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "831BFAEF-E7B6-4E84-9142-79B93FBA0E8A",
"versionEndExcluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in Expando module\u0027s geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) almacenadas en los campos personalizados de geolocalizaci\u00f3n del m\u00f3dulo Expando en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anteriores al service pack 3, 7.2 anteriores al fix pack 17 y versiones anteriores no compatibles permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a trav\u00e9s de un payload manipulado inyectado en el campo de texto del nombre de un campo personalizado de geolocalizaci\u00f3n."
}
],
"id": "CVE-2024-25601",
"lastModified": "2025-01-28T21:26:17.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T02:15:30.100",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-07 19:55
Modified
2024-11-21 01:26
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| microsoft | windows_7 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "36D6FB97-DA02-4BE8-9546-2676F79BD9BA",
"versionEndIncluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E33796DB-4523-4F04-B564-ADF030553D51",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Liferay Portal Community Edition (CE) v6.x anterior a v6.0.6 GA, cuando Apache Tomcat es utilizado, permite a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s de un mensaje titulo, una vulnerabilidad diferente a CVE-2004-2030."
}
],
"id": "CVE-2011-1570",
"lastModified": "2024-11-21T01:26:37.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-05-07T19:55:01.073",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-12628"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-13250"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-12628"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/browse/LPS-13250"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656\u0026styleName=Html\u0026projectId=10952"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/03/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2011/04/11/9"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 02:15
Modified
2025-01-28 21:26
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "831BFAEF-E7B6-4E84-9142-79B93FBA0E8A",
"versionEndExcluding": "7.4.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) almacenadas en el widget Tablero de mensajes en Liferay Portal 7.2.0 a 7.4.2 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al service pack 3, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles permiten acceso remoto usuarios autenticados para inyectar scripts web o HTML arbitrarios a trav\u00e9s del nombre de archivo de un archivo adjunto."
}
],
"id": "CVE-2024-25152",
"lastModified": "2025-01-28T21:26:06.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T02:15:29.933",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-04 14:15
Modified
2024-11-21 04:31
Severity ?
Summary
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from | Exploit, Third Party Advisory | |
| cve@mitre.org | https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.liferay.com/downloads-community | Product, Release Notes | |
| cve@mitre.org | https://www.youtube.com/watch?v=DjMEfQW3bf0 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.liferay.com/downloads-community | Product, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.youtube.com/watch?v=DjMEfQW3bf0 | Exploit |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "FA36613B-2934-4328-8D79-DA2E4DCAA21C",
"versionEndIncluding": "6.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "5FFE793D-A9F8-478A-A05C-8ADD376741E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "6BA0C52D-BBB8-4A86-A96D-4BDCD29FB758",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "4FE5AB24-2D11-410B-ADF5-44B67CA98832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "5B726B37-50BC-47A8-8FDF-7A66E855014F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "BB738110-EB09-42DE-98DA-12BE32DE57C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "1FB09531-2DD2-475C-BD22-E97901F56B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "DAFF5639-E14B-4DDF-9B3E-AB1C410A8F20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "C0683FB5-212D-4FD7-A4B1-8900D909086E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "472FA08E-1641-4D12-86D2-C4615B722310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "001AF786-5DD2-4797-8740-31060A6A03A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "9CA31B62-A9E2-478D-8CCA-F1923875CB9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "87572B01-6964-497B-A77D-269E020FA4F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "9D4C3B3F-6125-455D-8A43-4E55334D8951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "30204763-F5B5-4FD8-814C-FE699C05E8C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "D071ABF1-38D7-4381-9B8E-0A08C7DC66C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "11DB0072-E95D-4A3F-A7EE-24FE395DA95F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "A8D0B139-7982-4F35-A35E-CDE00D949DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "61E60075-59B8-4555-893A-5C2A89D5F2DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "F692C4AF-6568-43D9-8EA8-AE6EFDFD76EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:*",
"matchCriteriaId": "7AC9FB0B-A24F-48FE-8DE7-9DF470064C9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:*",
"matchCriteriaId": "2DE10E9E-5A7F-4241-88E4-796E91260F00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:*",
"matchCriteriaId": "51EC8CDD-419B-4858-8FFB-91D0EF4496C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:*",
"matchCriteriaId": "0279FC7D-BF39-4CF6-BB80-2EE532D450E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "7DA37F01-82C9-4BF1-A349-861561AA3712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "CC404755-D472-4A0D-8922-4E1957A04E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "F9C0B6C3-0C26-4311-B472-4E3713A19152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E0F66C7B-9882-4E12-8D79-6BB5422B5946",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "AF1DBF1D-2344-4CDA-85EE-02A8F0B6F33D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "3FC682CE-28EF-440C-9E9F-2A69423E1935",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "B6B01EB4-F999-4F32-8BF1-9B763E0F05B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:*",
"matchCriteriaId": "D7FC066D-FDB1-4645-AC44-4256B2B41279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:*",
"matchCriteriaId": "96082BE8-24A1-401A-9965-B8C8C606184C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:*",
"matchCriteriaId": "CD5DC3C4-69C1-4346-8F65-90F08AAA90D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "EFDAD1AF-EC2F-4894-BA92-97A4B9E9ED1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "F243A741-E860-4EA5-ADB0-9AA0AAABF93D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "33CEF26A-3217-451C-9A27-B23B9C967B05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "E472E8E9-1AAB-4845-9F11-1B3C570EA73E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:*",
"matchCriteriaId": "27F6273D-20A8-401A-9499-490F5642BE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:*",
"matchCriteriaId": "2B5C7F9F-B8FB-4A7A-A433-E1C156A9A5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:*",
"matchCriteriaId": "B8549860-D2DE-49A3-B1A9-4D254E83BDDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3AA76510-6152-4F51-ACCC-8D6955EEDE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9F482A5E-B8A8-4F31-BF34-3C4105BADA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "104A6584-6D9B-42F7-BFDA-A2BE9D900B2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "4D781468-2FDA-47C7-B1CA-9845B20D5E1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "FA0F71E9-F6FE-4EEB-AF76-5EBB60D71067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "F3E37093-DE34-4002-8B89-942DD7F26F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "8A5B9B28-A6FC-4FB7-9071-B54AE4AB5EA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:*",
"matchCriteriaId": "3F92523D-3292-4E44-BB97-B97AE347CE15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "EEF7EDFF-BFC0-4006-9500-87BB76747146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "7EA79695-F8E9-4742-BF75-0C36B9D6233F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "9276ACC2-F339-4DF0-99B7-2897C6538F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E60E9992-7FB6-4963-BAB3-F1A124395E62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "ABD5E21F-1D23-48E0-9541-4D222703C634",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:*",
"matchCriteriaId": "1C54E49F-0886-4511-B205-98A982137DEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "D4DCCFCE-E56D-495D-B9C1-98FB7C96421D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "BBD777AB-DC4B-4860-A203-10FDA026CC4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "9C28A2C0-C7B8-4250-A0DC-AAA9D597EDD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "EF37F090-D1A1-476A-8477-2AF84977FED4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "E1A2043B-429C-4613-B155-E0DDBE385E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "5041C958-4211-41BE-9644-8A543ABD7BC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9085829A-0DFC-4E68-B2A2-88CC33773C84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "51EA228E-4463-4878-B4FB-B7443220E4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "A2CB2283-D0E1-405B-B3AB-685DD548575E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "040B88A2-3AB5-48F4-AEDD-A4579A172C36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "FD819822-6BA3-481F-9101-3DF2C9264856",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "568D23DC-1534-4E47-AF72-E484C3B6F642",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:alpha1:*:*:community:*:*:*",
"matchCriteriaId": "99F9B577-B928-481B-A568-B9279CD194AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta1:*:*:community:*:*:*",
"matchCriteriaId": "1C4E2D52-56FE-4ED6-81D3-89C7796A0F08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta2:*:*:community:*:*:*",
"matchCriteriaId": "24A3C417-E5C9-45D5-92EB-25109C5F1FEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:beta3:*:*:community:*:*:*",
"matchCriteriaId": "AE394C7A-5A07-4382-B532-CE6A58BDF860",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "01F2DF61-31A4-4ABC-92D9-F8642CDC1453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "AB555AEB-B0F5-40F4-8C04-C56304B5EDA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "4D27ED77-5F60-4251-9E68-4ECF35E34B18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2.0:rc3:*:*:community:*:*:*",
"matchCriteriaId": "F60B545E-E4C9-47F2-A2D8-71A6835C38EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload."
},
{
"lang": "es",
"value": "Liferay Portal CE versi\u00f3n 6.2.5, permite la ejecuci\u00f3n de comandos remota debido a la deserializaci\u00f3n de una carga \u00fatil JSON."
}
],
"id": "CVE-2019-16891",
"lastModified": "2024-11-21T04:31:17.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-04T14:15:11.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.liferay.com/downloads-community"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.youtube.com/watch?v=DjMEfQW3bf0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.liferay.com/downloads-community"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.youtube.com/watch?v=DjMEfQW3bf0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 00:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "201470D2-65E1-40D7-B01B-35A03930BEEA",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripring (XSS) en el m\u00f3dulo Announcements en Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar script web arbitrario o HTML."
}
],
"id": "CVE-2022-42110",
"lastModified": "2024-11-21T07:24:22.523",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T00:15:12.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17403"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42110"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-19 13:15
Modified
2024-11-21 06:54
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | * | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.3 | |
| liferay | liferay_portal | * | |
| liferay | liferay_portal | 7.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF5BFC45-3970-43D5-A064-D8785677E26C",
"versionEndExcluding": "7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1374F32-A990-4892-BF5F-E80D2B54E760",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el selector de categor\u00edas de activos del m\u00f3dulo Asset en Liferay Portal versiones 7.3.3 hasta 7.4.0, y Liferay DXP versiones 7.3 anteriores al Service Pack 3 permite a atacantes remotos inyectar scripts web arbitrarios o HTML arbitrarios por medio del nombre de una categor\u00eda de activos"
}
],
"id": "CVE-2022-26593",
"lastModified": "2024-11-21T06:54:10.810",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-19T13:15:08.393",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26593-stored-xss-with-category-name-in-asset-categories-selector"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-02 19:15
Modified
2024-11-21 06:16
Severity ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "092D727C-B318-4F8C-8698-7DC78ABE2237",
"versionEndExcluding": "7.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "5F76965E-CCB6-407B-88B7-7C5B70DE8408",
"versionEndExcluding": "7.3.7",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API."
},
{
"lang": "es",
"value": "El m\u00f3dulo Dynamic Data Mapping en Liferay Portal 7.0.0 hasta 7.3.6, y Liferay DXP 7.0 antes del fix pack 101, 7.1 antes del fix pack 21, 7.2 antes del fix pack 10 y 7.3 antes del fix pack 2 establece incorrectamente los permisos por defecto para los miembros del sitio, lo que permite a los usuarios remotos autentificados con el rol de miembro del sitio a\u00f1adir y duplicar formularios, a trav\u00e9s de la UI o la API"
}
],
"id": "CVE-2021-38268",
"lastModified": "2024-11-21T06:16:42.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-02T19:15:07.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17093 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17093 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "101E130F-36D3-4775-8AD9-AA289E581CDB",
"versionEndExcluding": "7.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Frontend JS de Liferay Portal versiones 7.3.4 y anteriores, y Liferay DXP versiones 7.0 anterior a fix pack 96, versiones 7.1 anterior a fix pack 20 y versiones 7.2 anterior a fix pack 9, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del t\u00edtulo de una ventana modal"
}
],
"id": "CVE-2021-33326",
"lastModified": "2024-11-21T06:08:41.810",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.757",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17093"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-17 12:15
Modified
2024-11-21 06:00
Severity ?
Summary
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.3 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF368A19-1F80-4A53-82C8-DDF6895F9992",
"versionEndIncluding": "7.3.5",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls."
},
{
"lang": "es",
"value": "El m\u00f3dulo Data Engine en Liferay Portal versiones 7.3.0 hasta 7.3.5 y Liferay DXP versiones 7.3 anteriores a fixpack 1 no comprueba los permisos en DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, que permite a los usuarios autenticados remotos visualizar estructuras DDMS por medio de llamadas a la API GET"
}
],
"id": "CVE-2021-29052",
"lastModified": "2024-11-21T06:00:36.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-17T12:15:07.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 00:15
Modified
2024-11-21 06:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.4.0 | |
| liferay | liferay_portal | 7.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77AE89B-3769-4AEC-AF7B-00AAE3F345F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "0EBEF105-7297-44E3-B458-944861A941C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463."
},
{
"lang": "es",
"value": "Una vulnerabilidad de scripting cruzado (XSS) en el m\u00f3dulo Frontend Taglib en Liferay Portal 7.4.0 y 7.4.1 permite a los atacantes remotos inyectar script web o HTML arbitrario en la b\u00fasqueda de la barra de herramientas de gesti\u00f3n a trav\u00e9s del par\u00e1metro `keywords`. Este problema est\u00e1 causado por una correcci\u00f3n incompleta en CVE-2021-35463"
}
],
"id": "CVE-2021-38264",
"lastModified": "2024-11-21T06:16:42.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T00:15:07.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E8A0D26-A5F7-4228-83B1-92CDA307B5A3",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Sharing module\u0027s user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en la notificaci\u00f3n de usuario del m\u00f3dulo Compartir en Liferay Portal 7.2.1 a 7.4.2, y Liferay DXP 7.2 antes del fix pack 19, y 7.3 antes de la actualizaci\u00f3n 4 permite a atacantes remotos inyectar scripts web o HTML arbitrarios compartiendo un activo con un payload manipulado."
}
],
"id": "CVE-2022-42111",
"lastModified": "2024-11-21T07:24:22.677",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:10.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17379"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42111"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.3 | |
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF1ADF5F-68DA-47D9-A6D9-16F8207525BB",
"versionEndExcluding": "7.4.3.19",
"versionStartIncluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin."
},
{
"lang": "es",
"value": "Una vulnerabilidad Zip slip en Elasticsearch Connector en Liferay Portal 7.3.3 a 7.4.3.18, y Liferay DXP 7.3 antes de la actualizaci\u00f3n 6 y 7.4 antes de la actualizaci\u00f3n 19 permite a los atacantes crear o sobrescribir archivos existentes en el sistema de archivos mediante la instalaci\u00f3n maliciosa del complemento Elasticsearch Sidecar."
}
],
"id": "CVE-2022-42123",
"lastModified": "2024-11-21T07:24:24.557",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:13.053",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17518"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17518"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 02:33
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06CB4060-B2DE-4D8B-8776-568C44BB517C",
"versionEndExcluding": "7.4.3.14",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de Cross-site scripting (XSS) almacenadas en Liferay Portal 7.2.0 a 7.4.3.13 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 10, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 17 y versiones anteriores no compatibles permiten usuarios autenticados remotamente para inyectar script web o HTML arbitrario a trav\u00e9s de un payload manipulado inyectado en el campo de texto del nombre/segundo nombre/apellido del usuario que crea una entrada en el (1) widget de anuncio o (2) widget de alertas."
}
],
"id": "CVE-2024-26266",
"lastModified": "2025-01-28T02:33:22.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:09.353",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-04 13:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17102 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17102 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57EC96AE-93E7-4ED9-8A77-825EFBEF060F",
"versionEndExcluding": "7.3.5",
"versionStartIncluding": "7.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Fragment de Liferay Portal versiones 7.2.1 hasta 7.3.4, y Liferay DXP versiones 7.2 anteriores a fix pack 9, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del par\u00e1metro _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name"
}
],
"id": "CVE-2021-33339",
"lastModified": "2024-11-21T06:08:43.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-04T13:15:08.060",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17102"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-18 21:15
Modified
2024-11-21 07:24
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | * | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9751440B-FA20-42E4-9B44-5DDF227CDA1F",
"versionEndExcluding": "7.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*",
"matchCriteriaId": "186D21EA-CD15-4F50-B129-6EF8DCB4FE50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*",
"matchCriteriaId": "355DD7FC-E9C7-43D6-8313-0474AB314F18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*",
"matchCriteriaId": "B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*",
"matchCriteriaId": "683D063A-0E32-4E2D-8CBF-A57F45071F6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*",
"matchCriteriaId": "7DFEBCAB-1D9B-4BED-A2C6-11BA863F1EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_29:*:*:*:*:*:*",
"matchCriteriaId": "DB8733C4-8CE4-4E4B-A2AE-919AA69DAF8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_30:*:*:*:*:*:*",
"matchCriteriaId": "D372D9B9-5A83-4FF8-8DE5-617D99D1A8B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_31:*:*:*:*:*:*",
"matchCriteriaId": "7519ABB1-57A7-46F1-97FC-DD44787F2B6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_32:*:*:*:*:*:*",
"matchCriteriaId": "87BD916B-245C-4D62-B595-1985784C2ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_33:*:*:*:*:*:*",
"matchCriteriaId": "841E15A8-0819-4E48-B7E3-3ACCB4C1F43B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_34:*:*:*:*:*:*",
"matchCriteriaId": "91A243D9-7633-4836-B72D-75EF6C0F8876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_35:*:*:*:*:*:*",
"matchCriteriaId": "6E2B1876-78B1-407A-9392-94FFF33AC803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_36:*:*:*:*:*:*",
"matchCriteriaId": "4C6BBDC0-9D68-4653-9177-E49B847B04ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0086FDBD-9139-44E9-A01B-BE5C59456DC7",
"versionEndExcluding": "7.4.3.37",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Role module\u0027s edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en la p\u00e1gina de edici\u00f3n de asignados de roles del m\u00f3dulo Role en Liferay Portal versiones 7.4.0 hasta 7.4.3.36, y Liferay DXP versiones 7.4 anteriores a update 37, permite a atacantes remotos inyectar script web o HTML arbitrarios"
}
],
"id": "CVE-2022-42114",
"lastModified": "2024-11-21T07:24:23.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-18T21:15:16.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42114"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42114"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-13 13:15
Modified
2024-11-21 07:17
Severity ?
Summary
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Product | |
| cve@mitre.org | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| cve@mitre.org | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_6:*:*:*:*:*:*",
"matchCriteriaId": "A7A399C4-6D4B-438C-9BAE-2893E457028A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_7:*:*:*:*:*:*",
"matchCriteriaId": "0CBACD88-B4F8-4496-9706-C666768AC9B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_8:*:*:*:*:*:*",
"matchCriteriaId": "510C440D-8B79-4685-8105-7A21A77CFC61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52877E3A-4E07-4B14-BABC-B70266FEFEDE",
"versionEndIncluding": "7.4.0",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en la funcionalidad Blog module - add new topic en Liferay Digital Experience Platform 7.3.10 SP3, permite a atacantes remotos inyectar scripts JS o HTML arbitrarios en el campo del nombre del tema reci\u00e9n creado"
}
],
"id": "CVE-2022-38902",
"lastModified": "2024-11-21T07:17:15.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-13T13:15:10.043",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-20 19:15
Modified
2025-02-04 20:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"cisaActionDue": "2022-05-03",
"cisaExploitAdd": "2021-11-03",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Liferay Portal Deserialization of Untrusted Data Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "484E2316-EBD8-4CB8-B867-ADADA119957C",
"versionEndIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS)."
},
{
"lang": "es",
"value": "Una Deserializaci\u00f3n de Datos No Confiables en Liferay Portal versiones anteriores a 7.2.1 CE GA2, permite a atacantes remotos ejecutar c\u00f3digo arbitrario por medio de los servicios web JSON (JSONWS)."
}
],
"id": "CVE-2020-7961",
"lastModified": "2025-02-04T20:15:39.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2020-03-20T19:15:12.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-13 19:59
Modified
2024-11-21 01:23
Severity ?
Summary
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E35F049-1FDA-45C9-B49F-8EF3D7547BCB",
"versionEndIncluding": "6.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template."
},
{
"lang": "es",
"value": "Liferay Portal hasta la versi\u00f3n 6.2.10 permite a usuarios remotos autenticados ejecutar comandos shell arbitrarios a trav\u00e9s de una plantilla Velocity manipulada."
}
],
"id": "CVE-2010-5327",
"lastModified": "2024-11-21T01:23:03.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-13T19:59:00.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPE-14964"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPS-64547"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPS-7087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPE-14964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPS-64547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issues.liferay.com/browse/LPS-7087"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-25 16:16
Modified
2024-11-21 06:54
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "6F20D93D-7FB2-4D5F-9249-4DECDE473C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "CF0821E5-B6E5-44E6-9CF7-77EAE982F677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "1B24B6A1-8439-49D6-8E78-193144F3DCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "7E82A6CC-891C-4619-84EA-0DA96E4043C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "70E12054-0DEE-4B92-B8F6-7DC4B2461113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "3B566A51-3EFC-4A08-8A4F-A9AA43FBE481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "FE1A8781-6B16-4D37-B556-36B99CBCA9F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "3EE11B43-1629-4A22-BE88-0AFB2DFC528C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "10FC6F33-C031-40A4-AFAF-B5CF30F79E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "99B99578-CACE-47D2-9C1E-A7BBD2B6F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "950D98A8-88EE-4C99-817B-C418071B2819",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "F86FF50F-B21A-4B6E-88B8-90D0C042E942",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "CE0E1891-6E76-4069-B412-43B5E5379E0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "404F5FFE-2758-452F-9297-40E0533C6FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "3F5B7E72-8D62-464A-AA82-CBE2625C7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "4FA67C68-3E8E-4383-967F-A1FA55AE4897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "F220793A-FDAC-48C6-B299-39EB3BC077A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "F095A9E1-5FE1-46C4-B0E1-97F8767439D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "DFD748DD-6FDB-44CD-96BF-026D18CE4207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "0A34F2EA-D0F7-4C9B-BFE6-DA334DFD0EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "4B3C2426-7617-4535-B86A-7F9BA45DFD0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_29:*:*:*:*:*:*",
"matchCriteriaId": "88A5CBCE-2BAE-44C7-A7BF-BC30C89839BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "CA6B2500-42E4-4F87-8B93-2F7399B4F611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "28955834-8E02-4558-ABD3-4958DBB41423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_31:*:*:*:*:*:*",
"matchCriteriaId": "89B4F926-5018-4C50-9569-A92BEA6364A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_32:*:*:*:*:*:*",
"matchCriteriaId": "863C4DBB-9BA2-4A13-8394-08AC500D552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "C4206C84-C4BD-4363-A4CA-EE229CE06319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_34:*:*:*:*:*:*",
"matchCriteriaId": "54CA9915-54C2-4E7F-85AF-781CA0A63A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "4F644864-1056-4A0C-ADD7-A1992A0AC07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "91E9BAE9-CD40-4353-95DB-7D9ADC338F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_37:*:*:*:*:*:*",
"matchCriteriaId": "C2A29CA0-66CB-4ED9-87B3-57A1C04F59F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_38:*:*:*:*:*:*",
"matchCriteriaId": "2BFC882E-25C2-46A3-A0DA-A779399A3A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "661E68A2-B365-4962-87CF-CE17A500889F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "D4094372-E950-4DE0-86D2-CE7F214FD3A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "A5D28279-002A-4BC7-9396-E47FC842D7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "C700ED72-4626-48A0-B1BB-E0A7C12D454F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "8F473DF1-F70D-4EDB-A011-C8D1C6A21659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "C2351EAC-F6AD-4611-B9BD-39C4DFE85B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "357845C1-3834-465A-B9CA-F9C604AA8242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "DD35964D-4156-45B8-A0AB-282DA9F4FA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "35656567-EF24-4948-A72A-C754D6E419B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "E9A3D95D-4539-432D-B241-376F312534AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "81F329F1-5BB1-42A7-98CE-B0EB5819D60A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "5B7111FA-9FD7-4952-AFE1-07D3E14854F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D35916F1-24AA-4BF3-8B1F-2361C5B815D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "2C7A080F-9C99-41A0-BC63-EBDDC0DF7B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "0383C4C4-A7BB-418D-9A98-AC4233722961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "AA281A20-7599-446B-9587-118E920403D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "9514E8F5-1D0B-4CDF-BD03-087326F6C252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "78BC7D6C-2A10-4F78-9C41-EA97665C246E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_55:*:*:*:*:*:*",
"matchCriteriaId": "B2C29B11-D87B-4D78-9D42-AD528C811080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "CA9BE427-78D7-4DEE-A174-F3E3675B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "6C10325C-8670-499B-B003-7D8634539C5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "5F692BEB-5CB1-41EA-B715-64AB0036F6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "427C4DF5-9039-4CB5-B600-5F965E20D945",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "EDEE4B40-889C-472E-AA91-7E1B4314EE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "44B7A2A2-5764-4EDB-AA44-25F8508CF128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "55D94917-5360-4179-A017-1287C63A6E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_62:*:*:*:*:*:*",
"matchCriteriaId": "52C5C76D-2572-4ADF-B7E4-7B3444935658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_63:*:*:*:*:*:*",
"matchCriteriaId": "9ABFC91A-7A8D-4A08-9464-F534BAA69B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "1D378A23-113D-47AC-9CB5-2658C357FFB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "58FB119E-508C-45F7-8AD8-B67AAAEA53D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "8B3359A5-D39B-4322-8963-B138D791D232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "E11E2FBD-7541-4CE3-8A78-52FB82571547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "3883F470-8D8D-4CB3-BF4A-0C401BDABC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "1BDCF010-04BF-4FA5-9E14-F6461FED3FFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "3867FDAA-354E-4D2F-A260-27F31CA44C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "7E8CEA39-4A7F-4827-91FA-31119201D174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "D3768AC9-A245-4B81-8D1D-9D9C5354245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "71CA65C9-C0FC-4CBD-A8B0-DD72604A46F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "9F06DECA-F45D-49DA-BB24-AA1F0306B0B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_74:*:*:*:*:*:*",
"matchCriteriaId": "3BA69ED9-28FA-40B5-84F9-0FFE40DFC675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "6FF2D31F-8719-41A6-ADD5-15BE9409428E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "DE56F5E5-73CF-4636-9F98-86BDDA3F6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_77:*:*:*:*:*:*",
"matchCriteriaId": "CE4885B1-F912-4D06-8179-830FC011F3F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "A1A0EFCE-4B74-4B4D-AB6E-5730F26B38FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "F02DCC86-C3F7-482C-9BFB-B7971FB10AEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "A89B7EE4-57FD-4B09-841A-ABC9990FF88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "06835B0A-A2DF-44D3-A38F-59E5D5523FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "B746D0CF-76F6-42A1-9056-CA9622DCD806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "FFC33A7E-B1CB-4E83-B75C-71F5E7E5E406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "325CFFCF-1609-4D89-B6A8-1C6ACBFDD35B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "BD019A57-FC7A-4B1F-9946-FA15C90FC985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "A6B2CD3A-C39C-4F9A-8602-3EC75472181D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "1B8DCD85-0E47-44C1-B7DD-E1B4756CEC17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "1790D974-2EE0-4405-8F26-BB6DB3BDA23B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "416B3F04-AD86-4F91-890E-56BA539AAB06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "C12C0E4D-4E9A-4BD7-926E-74BCD42595B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "655A3A6A-A3EB-4864-B64D-2319E5CF7DA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "9A659FEF-1BC1-45E8-A01E-1F9A8F2AFAAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "3810319D-7DC4-47DD-B568-B0504DBC8209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "D9BFFFC0-912A-4F95-A08E-1D264135D1E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "9EA924E7-DEF2-45BF-B435-C435AC20AF4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6772278-8079-406E-8731-EAAA6183E41C",
"versionEndIncluding": "7.3.3",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Journal module\u0027s web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en la p\u00e1gina de configuraci\u00f3n de visualizaci\u00f3n de contenido web del m\u00f3dulo Journal en Liferay Portal versiones 7.1.0 hasta 7.3.3, y Liferay DXP versiones 7.0 anteriores al paquete de correcciones 94, versiones 7.1 anteriores al paquete de correcciones 19, y versiones 7.2 anteriores al paquete de correcciones 8, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio de los nombres de las plantillas de contenido web"
}
],
"id": "CVE-2022-26596",
"lastModified": "2024-11-21T06:54:11.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-25T16:16:09.067",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-07 18:15
Modified
2024-11-21 07:23
Severity ?
Summary
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EBD047B-9B19-489F-8035-9447CCCB4584",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages."
},
{
"lang": "es",
"value": "Un fallo no seguro en el componente auth.login.prompt.enabled de Liferay Portal versiones v7.0.0 hasta v7.4.2, permite a atacantes enumerar nombres de usuarios, nombres de sitios y p\u00e1ginas"
}
],
"id": "CVE-2022-41414",
"lastModified": "2024-11-21T07:23:10.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-07T18:15:22.640",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-22 15:15
Modified
2024-12-10 21:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "935D404E-76A6-4405-8A74-0E70E50C3FCC",
"versionEndExcluding": "2023.q3.6",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3758E9CF-12EC-4025-85BB-1D5EEA99359A",
"versionEndExcluding": "2023.q4.3",
"versionStartIncluding": "2023.q4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEDE37FB-83BC-41D6-94D7-DE087BC4FE14",
"versionEndExcluding": "7.4.3.112",
"versionStartIncluding": "7.4.3.75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Request Forgery (CSRF) en el widget Mi cuenta en Liferay Portal 7.4.3.75 a 7.4.3.111, y Liferay DXP 2023.Q4.0 a 2023.Q4.2, 2023.Q3.1 a 2023.Q3.5, 7.4 actualizaci\u00f3n 75 a 92 y 7.3 actualizaci\u00f3n 32 a 36 permite a atacantes remotos (1) cambiar las contrase\u00f1as de los usuarios, (2) apagar el servidor, (3) ejecutar c\u00f3digo arbitrario en la consola de scripts, (4) y realizar otras acciones administrativas a trav\u00e9s del par\u00e1metro _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL."
}
],
"id": "CVE-2024-26271",
"lastModified": "2024-12-10T21:07:04.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T15:15:05.523",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-10 11:06
Modified
2024-11-21 02:07
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://www.kb.cert.org/vuls/id/100972 | Third Party Advisory, US Government Resource | |
| cret@cert.org | https://github.com/samuelkong/liferay-portal/pull/610 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/100972 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/samuelkong/liferay-portal/pull/610 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 6.1.2_ce_ga3 | |
| liferay | liferay_portal | 6.1.x_ee | |
| liferay | liferay_portal | 6.2.x_ee |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.2_ce_ga3:*:*:*:*:*:*:*",
"matchCriteriaId": "9AF25CAF-1EAC-4A73-B1CD-E64B834B1F42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.x_ee:*:*:*:*:*:*:*",
"matchCriteriaId": "CE5CC9AE-D670-4A0C-BF72-4F881FC90F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.x_ee:*:*:*:*:*:*:*",
"matchCriteriaId": "1DDC0933-B3DC-4962-8A67-1435E898100B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en group/control_panel/manage en Liferay Portal 6.1.2 CE GA3, 6.1.X EE y 6.2.X EE permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) _2_firstName, (2) _2_lastName o (3) _2_middleName."
}
],
"id": "CVE-2014-2963",
"lastModified": "2024-11-21T02:07:14.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-10T11:06:27.723",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/100972"
},
{
"source": "cret@cert.org",
"url": "https://github.com/samuelkong/liferay-portal/pull/610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/100972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/samuelkong/liferay-portal/pull/610"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 01:15
Modified
2024-11-21 06:58
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga:*:*:*:*:*:*",
"matchCriteriaId": "0DB2556C-DE8B-4102-985D-C65A35A8BE5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E04E0EDA-8E18-43C3-A0B2-DF45B7CE811D",
"versionEndExcluding": "7.4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versi\u00f3n v7.4.3.4 y Liferay DXP versi\u00f3n v7.4 GA, permiten a atacantes ejecutar scripts web o HTML arbitrarios por medio de par\u00e1metros con el prefijo filter_"
}
],
"id": "CVE-2022-28980",
"lastModified": "2024-11-21T06:58:17.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-22T01:15:11.743",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 01:15
Modified
2024-11-21 07:24
Severity ?
Summary
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17414 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17414 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "612C5E92-82FF-4C86-A9A4-BC4825033753",
"versionEndIncluding": "7.4.3.4",
"versionStartIncluding": "7.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "A978B14E-96F6-449F-8D8D-8E782A5A3D19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "87600A59-7DD1-49F5-A5A5-EA392193C6A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "33EB9718-E83C-43F4-AFF9-86A83F6F75A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "F7CDDDE5-5E00-41AB-8517-2E5A1427633D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "D5B4F901-D5A9-440D-86B4-76B42C833660",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "1AB262B6-E817-461A-9F05-15B1B37D9019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*",
"matchCriteriaId": "186D21EA-CD15-4F50-B129-6EF8DCB4FE50",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "201470D2-65E1-40D7-B01B-35A03930BEEA",
"versionEndIncluding": "7.4.2",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template\u0027s \u0027Name\u0027 field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo Layout en Liferay Portal 7.1.3 hasta 7.4.3.4, y Liferay DXP 7.1 anterior al fix pack 27, 7.2 anterior al fix pack 17, 7.3 anterior al service pack 3 y 7.4 GA permite a atacantes remotos autenticados ejecutar arbitrariamente Comandos SQL a trav\u00e9s de un payload manipulado inyectado en el campo \u0027Nombre\u0027 de una plantilla de p\u00e1gina."
}
],
"id": "CVE-2022-42121",
"lastModified": "2024-11-21T07:24:24.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T01:15:12.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17414"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17414"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-04 14:15
Modified
2024-11-21 06:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8CDF8752-7AE9-43E4-81AD-DFD179486504",
"versionEndIncluding": "7.3.4",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Document Library module\u0027s add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en el men\u00fa de adici\u00f3n de documentos del m\u00f3dulo de la Biblioteca de Documentos en Liferay Portal versiones 7.3.0 hasta 7.3.4, y Liferay DXP versiones 7.1 anteriores a fix pack 20, y versiones 7.2 anteriores a fix pack 9, permite a atacantes remotos inyectar script web o HTML arbitrarios por medio del par\u00e1metro _com_liferay_document_library_web_portlet_DLAdminPortlet_name"
}
],
"id": "CVE-2021-33337",
"lastModified": "2024-11-21T06:08:43.423",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-04T14:15:08.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17101"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33337-stored-xss-with-document-types-in-documents-and-media"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17049 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17049 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.1 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99862578-46EC-4BB6-9CEF-EE5293BDCF8E",
"versionEndExcluding": "7.3.1",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user."
},
{
"lang": "es",
"value": "El m\u00f3dulo Dynamic Data Mapping en Liferay Portal versiones 7.1.0 hasta 7.3.2, y Liferay DXP versiones 7.1 anterior a fix pack 19, y versiones 7.2 anterior a fix pack 7, guarda autom\u00e1ticamente los valores de los formularios para usuarios no autenticados, que permite a atacantes remotos visualizar los valores guardados autom\u00e1ticamente al visualizar el formulario como un usuario no autenticado"
}
],
"id": "CVE-2021-33323",
"lastModified": "2024-11-21T06:08:41.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17049"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17049"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 09:15
Modified
2024-12-11 14:27
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
Summary
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "6A773FC6-429D-483D-9736-25323B55A71F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "B6AAAAF1-994E-409D-8FC7-DE2A2CF60AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC6590B-9ECD-4B86-A964-0824C7F129EB",
"versionEndExcluding": "7.4.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."
},
{
"lang": "es",
"value": "La vulnerabilidad XXE en Liferay Portal 7.2.0 a 7.4.3.7 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 4, 7.3 antes de la actualizaci\u00f3n 12, 7.2 antes del fixpack 20 y versiones anteriores no compatibles permite a atacantes con permiso implementar widgets/portlets /extensiones para obtener informaci\u00f3n confidencial o consumir recursos del sistema a trav\u00e9s del m\u00e9todo Java2WsddTask._format."
}
],
"id": "CVE-2024-25606",
"lastModified": "2024-12-11T14:27:37.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T09:15:09.533",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 03:15
Modified
2025-01-28 02:54
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EED129E-9461-45BF-9936-040F51B759D6",
"versionEndExcluding": "7.4.3.98",
"versionStartIncluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*",
"matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*",
"matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*",
"matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*",
"matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*",
"matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*",
"matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*",
"matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*",
"matchCriteriaId": "D4687FDA-0078-4E89-ADD8-7EDDA68261A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*",
"matchCriteriaId": "7EA29B09-CC24-4063-96A5-96AA08C0886D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*",
"matchCriteriaId": "331FC246-D3E9-4711-B305-BE51BF743CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*",
"matchCriteriaId": "A5823BC0-8C11-4C31-9E99-3C9D82918E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*",
"matchCriteriaId": "E2E6CB66-1AE1-4626-8070-64C250ED8363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*",
"matchCriteriaId": "B63449AA-6831-4290-B1FA-0BB806820402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*",
"matchCriteriaId": "B3B169F6-B8B8-4612-AD7D-F75CC6A9297B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*",
"matchCriteriaId": "12D46756-D26D-4877-ACE8-1C2721908428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*",
"matchCriteriaId": "5403DCEF-20C2-4568-8DF1-30804F522915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*",
"matchCriteriaId": "90E39742-90BE-4DEB-AB78-F9B8F7333F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*",
"matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*",
"matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*",
"matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*",
"matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*",
"matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*",
"matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*",
"matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*",
"matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*",
"matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*",
"matchCriteriaId": "62AE52FE-FB7F-4339-BDDE-E5AD235BBC58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*",
"matchCriteriaId": "C99508DB-19E9-4832-AB38-57C61C7D68BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*",
"matchCriteriaId": "131E4E65-D997-47F1-8CB8-15CE6A60AB1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*",
"matchCriteriaId": "94AC684E-3C5F-4859-B6EB-42C478F9DD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*",
"matchCriteriaId": "9855E3CB-925E-4623-A776-59422AB2FC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*",
"matchCriteriaId": "01C3B7BE-1F9B-4EDA-990C-A4022CB85612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*",
"matchCriteriaId": "65CF766C-626D-4F8C-BDBF-F0C5404DD545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*",
"matchCriteriaId": "720EF24C-9A36-405B-A380-6114C150B376",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*",
"matchCriteriaId": "44479EF5-40BD-43A2-AD0F-CE1660222AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*",
"matchCriteriaId": "B8E0BD92-0F77-481E-8167-F81755E00703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*",
"matchCriteriaId": "2BDB885E-814A-4CA8-A81C-1DB35989089B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*",
"matchCriteriaId": "B73DA1AE-C62F-4E62-AA98-5697656825F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*",
"matchCriteriaId": "D49DEE85-4DDB-4EF4-9F4D-11E7C1364055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*",
"matchCriteriaId": "5FDAD47C-C2DA-4533-AA58-DD6EC09A580A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*",
"matchCriteriaId": "5F81F36F-B20F-48B3-A1F2-3D319A34176B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*",
"matchCriteriaId": "754329CD-30B7-4410-A371-56A7C261B61B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*",
"matchCriteriaId": "C9445405-6B94-4DD1-BA94-B600AA316BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*",
"matchCriteriaId": "D2B77C89-7F33-47A0-B6BF-473366033BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*",
"matchCriteriaId": "8183B9D5-1C4D-4D30-BD85-13850FF34CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*",
"matchCriteriaId": "1675366A-2388-4F7E-B423-D39BC7D3D38D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*",
"matchCriteriaId": "B93C3CF2-4F45-4F6C-AB6D-F9ABDA7C4DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*",
"matchCriteriaId": "34A6A6A0-9307-4F5D-9605-1F786D1CD62A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*",
"matchCriteriaId": "6B994132-7103-4132-9D90-11CA264FEDE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*",
"matchCriteriaId": "A1958E04-AB8A-4B0E-AB45-B810CAED2EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
"matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*",
"matchCriteriaId": "848B2C72-447D-46E2-A5A7-43CF3764E578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*",
"matchCriteriaId": "26A0AF15-52A9-46FD-8157-359141332EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*",
"matchCriteriaId": "63D63872-C1D0-444F-BCC7-A514F323C256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*",
"matchCriteriaId": "9D9FA9AD-39D3-412A-B794-E1B29EEEEC4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
"matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"matchCriteriaId": "2A05FB86-332B-44E3-93CB-82465A38976E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"matchCriteriaId": "7C754823-899C-4EEF-ACB7-E1551FA88B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"matchCriteriaId": "493D4C18-DEE2-4040-9C13-3A9AB2CE47BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"matchCriteriaId": "8F17DD75-E63B-4E4C-B136-D43F17B389EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"matchCriteriaId": "62EE759A-78AD-40D6-8C5B-10403A8A4A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
"matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) reflejado al agregar asignados a una p\u00e1gina de rol en Liferay Portal 7.3.3 hasta 7.4.3.97 y Liferay DXP 2023.Q3 antes del parche 6, 7.4 GA hasta la actualizaci\u00f3n 92 y 7.3 antes de que la actualizaci\u00f3n 34 lo permita atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metro _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2."
}
],
"id": "CVE-2023-42496",
"lastModified": "2025-01-28T02:54:33.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T03:15:08.057",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-17 10:15
Modified
2024-11-21 08:25
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*",
"matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*",
"matchCriteriaId": "9D07DB20-9DCF-4C05-99D2-F6B37A082C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*",
"matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*",
"matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*",
"matchCriteriaId": "67F50AF8-7B0E-4D01-9EB2-C6625E9DACB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*",
"matchCriteriaId": "CCD1DEA0-8823-4780-B5EE-C1A2BB3C6B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*",
"matchCriteriaId": "DC6FF5AB-B6E4-45D9-854B-29DEC200DA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*",
"matchCriteriaId": "365F28B6-DBF2-45BB-A06D-DD80CFBAD7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*",
"matchCriteriaId": "7E325115-EEBC-41F4-8606-45270DA40B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CD5A1D3-7822-4D13-842D-18A7F04802A6",
"versionEndExcluding": "7.4.3.49",
"versionStartIncluding": "7.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page\u0027s \"Name\" text field."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) almacenada en Page Tree menu Liferay Portal 7.3.6 hasta 7.4.3.78, y Liferay DXP 7.3 fixpack 1 hasta la actualizaci\u00f3n 23, y 7.4 antes de la actualizaci\u00f3n 79 permite a atacantes remotos inyectar script web o HTML arbitrario mediante un payload manipulado inyectado en el campo de texto \"Name\" de la p\u00e1gina."
}
],
"id": "CVE-2023-44310",
"lastModified": "2024-11-21T08:25:38.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T10:15:09.793",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-08 04:15
Modified
2024-11-21 09:00
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.2 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.3 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | dxp | 7.4 | |
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "74FAF597-EAAD-4BB5-AB99-8129476A7E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "20F078A3-A3EE-4CCA-816D-3C053E7D7FE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "C33EBD80-91DD-401C-9337-171C07B5D489",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "0058B9A5-7864-4356-ADBA-C9AF1BB74836",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*",
"matchCriteriaId": "1CF5B84B-1719-4581-8474-C55CEFFD8305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*",
"matchCriteriaId": "D60CDAA3-6029-4904-9D08-BB221BCFD7C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*",
"matchCriteriaId": "B66F47E9-3D82-497E-BD84-E47A65FAF8C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*",
"matchCriteriaId": "A0BA4856-59DF-427C-959F-3B836314F5D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F3A5ADE1-4743-4A78-9FCC-CEB857012A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*",
"matchCriteriaId": "2B420A18-5C8B-470F-9189-C84F8DAA74D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "ADB5F13C-EE1E-4448-8FCF-5966F6874440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*",
"matchCriteriaId": "46AF397F-A95C-4FAD-A6EA-CB623B7A262A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*",
"matchCriteriaId": "3B8C3B3F-1BBB-47A5-A789-B207B6346FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*",
"matchCriteriaId": "AD5D1171-954A-4E75-813D-E8392CFE4029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*",
"matchCriteriaId": "F148098A-D867-4C8B-9632-6B7F24D50C30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*",
"matchCriteriaId": "8A112ED2-27C2-45E3-8FA0-6043F7D3BEED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*",
"matchCriteriaId": "0744AC04-9663-4DA1-9657-EC5BF0C68499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*",
"matchCriteriaId": "5703FE2B-011A-4A40-AB67-B989438F2183",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*",
"matchCriteriaId": "41A54448-B1AB-4E92-8523-5D4A46A83533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*",
"matchCriteriaId": "A96A2A4A-3EB3-4074-A846-EC6EECC04B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*",
"matchCriteriaId": "56DAE678-10B9-419D-9F5D-96E3AC3A6E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*",
"matchCriteriaId": "064F4C28-B1F5-44C2-91AA-A09FD56EC0B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*",
"matchCriteriaId": "C2C2351E-BDEE-4A79-A00C-6520B54996EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*",
"matchCriteriaId": "814D0CE3-B89F-423C-B1E3-47BD0A474491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*",
"matchCriteriaId": "58DB7C5A-B4E3-410A-B491-3F322B340BDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*",
"matchCriteriaId": "86B581B6-02B0-40B9-BB5C-E28FC51042DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*",
"matchCriteriaId": "E7EFBC14-6785-4435-BA96-D77A857BC1C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*",
"matchCriteriaId": "585635F8-53DC-4F64-BF6B-C6F72A5F4D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*",
"matchCriteriaId": "355DD7FC-E9C7-43D6-8313-0474AB314F18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*",
"matchCriteriaId": "B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*",
"matchCriteriaId": "25F5C3E9-CBB0-4114-91A4-41F0E666026A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*",
"matchCriteriaId": "5E2B5687-B311-460E-A562-D754AF271F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*",
"matchCriteriaId": "DF169364-096C-4294-B89F-C07AF1DCC9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*",
"matchCriteriaId": "30CB2C54-1A20-4226-ACC6-AC8131899AE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*",
"matchCriteriaId": "65693260-5B0F-47AA-BF08-D2979997A40A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C9116909-04C3-4040-B945-4A6225425520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71EF9A3C-C47A-4C68-B7FA-39AA7F20B8BD",
"versionEndExcluding": "7.4.3.26",
"versionStartIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame."
},
{
"lang": "es",
"value": "El widget IFrame en Liferay Portal 7.2.0 a 7.4.3.26 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 27, 7.3 antes de la actualizaci\u00f3n 6, 7.2 antes del fixpack 19 y versiones anteriores no compatibles no comprueba la URL del IFrame , que permite a los usuarios autenticados remotamente provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de un IFrame de autorreferencia."
}
],
"id": "CVE-2024-25144",
"lastModified": "2024-11-21T09:00:20.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T04:15:07.763",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-834"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 13:15
Modified
2024-11-21 08:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "C18AE68F-6EF0-4132-A3D8-C2D77A842137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "4C5F0729-7B44-4B9E-949F-6A66D8176E11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "B883C27E-3C14-4686-A0E8-8969B4246CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99862578-46EC-4BB6-9CEF-EE5293BDCF8E",
"versionEndExcluding": "7.3.1",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form\u0027s `name` field."
}
],
"id": "CVE-2023-33937",
"lastModified": "2024-11-21T08:06:14.453",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T13:15:09.707",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33937"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-28 12:15
Modified
2024-11-21 05:23
Severity ?
Summary
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.2 | |
| liferay | liferay_portal | 7.3.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
"matchCriteriaId": "EE4E1281-8507-42CB-9330-7D4B23247164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "C954CFAB-373F-4E6F-9DDD-DDACC0ED3353",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Liferay Portal Server probado en versiones 7.3.5 GA6, 7.2.0 GA1, est\u00e1 afectado por la inyecci\u00f3n de comandos del Sistema Operativo. Un usuario administrador puede inyectar comandos mediante el m\u00f3dulo Gogo Shell para ejecutar cualquier comando del SO en el Liferay Portal Sever. NOTA: El desarrollador cuestiona esto como una vulnerabilidad, ya que es una funci\u00f3n para que los administradores accedan y ejecuten comandos en Gogo Shell y, por lo tanto, no es una falla de dise\u00f1o"
}
],
"id": "CVE-2020-28885",
"lastModified": "2024-11-21T05:23:14.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-28T12:15:07.960",
"references": [
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 02:15
Modified
2024-11-21 07:24
Severity ?
Summary
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "6F20D93D-7FB2-4D5F-9249-4DECDE473C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "CF0821E5-B6E5-44E6-9CF7-77EAE982F677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_100:*:*:*:*:*:*",
"matchCriteriaId": "8C9B7CF8-5553-47B6-BB57-0429D78AE301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "1B24B6A1-8439-49D6-8E78-193144F3DCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "7E82A6CC-891C-4619-84EA-0DA96E4043C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "70E12054-0DEE-4B92-B8F6-7DC4B2461113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "3B566A51-3EFC-4A08-8A4F-A9AA43FBE481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "FE1A8781-6B16-4D37-B556-36B99CBCA9F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "3EE11B43-1629-4A22-BE88-0AFB2DFC528C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "10FC6F33-C031-40A4-AFAF-B5CF30F79E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "99B99578-CACE-47D2-9C1E-A7BBD2B6F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "950D98A8-88EE-4C99-817B-C418071B2819",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "F86FF50F-B21A-4B6E-88B8-90D0C042E942",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "CE0E1891-6E76-4069-B412-43B5E5379E0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "404F5FFE-2758-452F-9297-40E0533C6FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "3F5B7E72-8D62-464A-AA82-CBE2625C7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "4FA67C68-3E8E-4383-967F-A1FA55AE4897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "F220793A-FDAC-48C6-B299-39EB3BC077A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "F095A9E1-5FE1-46C4-B0E1-97F8767439D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "DFD748DD-6FDB-44CD-96BF-026D18CE4207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "0A34F2EA-D0F7-4C9B-BFE6-DA334DFD0EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "4B3C2426-7617-4535-B86A-7F9BA45DFD0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_29:*:*:*:*:*:*",
"matchCriteriaId": "88A5CBCE-2BAE-44C7-A7BF-BC30C89839BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "CA6B2500-42E4-4F87-8B93-2F7399B4F611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "28955834-8E02-4558-ABD3-4958DBB41423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_31:*:*:*:*:*:*",
"matchCriteriaId": "89B4F926-5018-4C50-9569-A92BEA6364A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_32:*:*:*:*:*:*",
"matchCriteriaId": "863C4DBB-9BA2-4A13-8394-08AC500D552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "C4206C84-C4BD-4363-A4CA-EE229CE06319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_34:*:*:*:*:*:*",
"matchCriteriaId": "54CA9915-54C2-4E7F-85AF-781CA0A63A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "4F644864-1056-4A0C-ADD7-A1992A0AC07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "91E9BAE9-CD40-4353-95DB-7D9ADC338F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_37:*:*:*:*:*:*",
"matchCriteriaId": "C2A29CA0-66CB-4ED9-87B3-57A1C04F59F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_38:*:*:*:*:*:*",
"matchCriteriaId": "2BFC882E-25C2-46A3-A0DA-A779399A3A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "661E68A2-B365-4962-87CF-CE17A500889F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "D4094372-E950-4DE0-86D2-CE7F214FD3A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "A5D28279-002A-4BC7-9396-E47FC842D7AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "C700ED72-4626-48A0-B1BB-E0A7C12D454F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "8F473DF1-F70D-4EDB-A011-C8D1C6A21659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "C2351EAC-F6AD-4611-B9BD-39C4DFE85B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "357845C1-3834-465A-B9CA-F9C604AA8242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "DD35964D-4156-45B8-A0AB-282DA9F4FA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "35656567-EF24-4948-A72A-C754D6E419B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "E9A3D95D-4539-432D-B241-376F312534AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "81F329F1-5BB1-42A7-98CE-B0EB5819D60A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "5B7111FA-9FD7-4952-AFE1-07D3E14854F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D35916F1-24AA-4BF3-8B1F-2361C5B815D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "2C7A080F-9C99-41A0-BC63-EBDDC0DF7B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "0383C4C4-A7BB-418D-9A98-AC4233722961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "AA281A20-7599-446B-9587-118E920403D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "9514E8F5-1D0B-4CDF-BD03-087326F6C252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "78BC7D6C-2A10-4F78-9C41-EA97665C246E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_55:*:*:*:*:*:*",
"matchCriteriaId": "B2C29B11-D87B-4D78-9D42-AD528C811080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "CA9BE427-78D7-4DEE-A174-F3E3675B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "6C10325C-8670-499B-B003-7D8634539C5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "5F692BEB-5CB1-41EA-B715-64AB0036F6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "427C4DF5-9039-4CB5-B600-5F965E20D945",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "EDEE4B40-889C-472E-AA91-7E1B4314EE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "44B7A2A2-5764-4EDB-AA44-25F8508CF128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "55D94917-5360-4179-A017-1287C63A6E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_62:*:*:*:*:*:*",
"matchCriteriaId": "52C5C76D-2572-4ADF-B7E4-7B3444935658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_63:*:*:*:*:*:*",
"matchCriteriaId": "9ABFC91A-7A8D-4A08-9464-F534BAA69B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "1D378A23-113D-47AC-9CB5-2658C357FFB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "58FB119E-508C-45F7-8AD8-B67AAAEA53D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "8B3359A5-D39B-4322-8963-B138D791D232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "E11E2FBD-7541-4CE3-8A78-52FB82571547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "3883F470-8D8D-4CB3-BF4A-0C401BDABC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "1BDCF010-04BF-4FA5-9E14-F6461FED3FFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "3867FDAA-354E-4D2F-A260-27F31CA44C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "7E8CEA39-4A7F-4827-91FA-31119201D174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "D3768AC9-A245-4B81-8D1D-9D9C5354245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "71CA65C9-C0FC-4CBD-A8B0-DD72604A46F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "9F06DECA-F45D-49DA-BB24-AA1F0306B0B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_74:*:*:*:*:*:*",
"matchCriteriaId": "3BA69ED9-28FA-40B5-84F9-0FFE40DFC675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "6FF2D31F-8719-41A6-ADD5-15BE9409428E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "DE56F5E5-73CF-4636-9F98-86BDDA3F6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_77:*:*:*:*:*:*",
"matchCriteriaId": "CE4885B1-F912-4D06-8179-830FC011F3F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "A1A0EFCE-4B74-4B4D-AB6E-5730F26B38FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "F02DCC86-C3F7-482C-9BFB-B7971FB10AEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "A89B7EE4-57FD-4B09-841A-ABC9990FF88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "06835B0A-A2DF-44D3-A38F-59E5D5523FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "B746D0CF-76F6-42A1-9056-CA9622DCD806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "FFC33A7E-B1CB-4E83-B75C-71F5E7E5E406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "325CFFCF-1609-4D89-B6A8-1C6ACBFDD35B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "BD019A57-FC7A-4B1F-9946-FA15C90FC985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "A6B2CD3A-C39C-4F9A-8602-3EC75472181D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "1B8DCD85-0E47-44C1-B7DD-E1B4756CEC17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "1790D974-2EE0-4405-8F26-BB6DB3BDA23B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "416B3F04-AD86-4F91-890E-56BA539AAB06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "C12C0E4D-4E9A-4BD7-926E-74BCD42595B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "655A3A6A-A3EB-4864-B64D-2319E5CF7DA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "9A659FEF-1BC1-45E8-A01E-1F9A8F2AFAAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "3810319D-7DC4-47DD-B568-B0504DBC8209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "D9BFFFC0-912A-4F95-A08E-1D264135D1E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "9EA924E7-DEF2-45BF-B435-C435AC20AF4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "E6809C30-9A81-45E6-92E9-01D54880EFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "C194ACCD-CB7E-4DFC-ABB5-7CCEFD83E11B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "69856C3C-2ACB-4718-821C-793118094985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_97:*:*:*:*:*:*",
"matchCriteriaId": "8693CC24-CEF6-4479-A3DA-8FD5C73E9548",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_98:*:*:*:*:*:*",
"matchCriteriaId": "B1A95A94-83C6-4DCC-8208-B76B53678B25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:fix_pack_99:*:*:*:*:*:*",
"matchCriteriaId": "A1831C4F-7887-489E-91C1-3997114917DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "D18ACD28-9182-435C-A30F-DF3BFE13C39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "CFE4CC72-C15A-40DE-AFF4-0B6B79BFB2BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_20:*:*:*:*:*:*",
"matchCriteriaId": "43C11288-1C48-47A0-95DF-A48F3C0285F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_21:*:*:*:*:*:*",
"matchCriteriaId": "5ECF3B18-D0DB-4FB6-9F6F-B63A6CE45081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_22:*:*:*:*:*:*",
"matchCriteriaId": "79AC7C0B-4135-4C24-8D37-A9431156E3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_23:*:*:*:*:*:*",
"matchCriteriaId": "7289F71D-ECEB-4FB9-A53F-D3F4D1315ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "C18AE68F-6EF0-4132-A3D8-C2D77A842137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "4C5F0729-7B44-4B9E-949F-6A66D8176E11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "B883C27E-3C14-4686-A0E8-8969B4246CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "58CE2C64-BC5F-4281-AD98-B2C4B24A949C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9B36899-E84E-498B-B99B-B6EB8F7ECE5C",
"versionEndExcluding": "7.4.3.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential."
},
{
"lang": "es",
"value": "La funcionalidad Probar usuarios de LDAP en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.0 fixpack 102 y anteriores, 7.1 antes del fixpack 27, 7.2 antes del fixpack 17, 7.3 antes de la actualizaci\u00f3n 4 y DXP 7.4 GA incluye LDAP credencial en la URL de la p\u00e1gina al paginar a trav\u00e9s de la lista de usuarios, lo que permite a los atacantes intermediarios o a los atacantes con acceso a los registros de solicitudes ver la credencial LDAP."
}
],
"id": "CVE-2022-42132",
"lastModified": "2024-11-21T07:24:25.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T02:15:12.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17438"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17438"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 21:15
Modified
2024-11-21 06:08
Severity ?
Summary
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-17022 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-17022 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC608B59-98F9-4FDD-A37D-87E5096E1756",
"versionEndExcluding": "7.3.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the \u0027redirect\u0027 parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de redireccionamiento abierto en el m\u00f3dulo Notifications de Liferay Portal versiones 7.0.0 hasta 7.3.1, y Liferay DXP versiones 7.0 anteriores a fix pack 94, versiones 7.1 anteriores a fix pack 19 y versiones 7.2 anteriores a fix pack 8, permite a atacantes remotos redirigir a usuarios a URLs externas arbitrario por medio del par\u00e1metro \"redirect\""
}
],
"id": "CVE-2021-33331",
"lastModified": "2024-11-21T06:08:42.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T21:15:08.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17022"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:08
Severity ?
Summary
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://issues.liferay.com/browse/LPE-16981 | Patch, Vendor Advisory | |
| cve@mitre.org | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.liferay.com/browse/LPE-16981 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020 | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73CDC2CC-EE82-4010-88E5-EDC175DA4D47",
"versionEndExcluding": "7.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user\u2019s password via the old password reset token."
},
{
"lang": "es",
"value": "En Liferay Portal versiones 7.3.0 y anteriores, y Liferay DXP versiones 7.0 anteriores a fix pack 96, versiones 7.1 anteriores a fix pack 18, y versiones 7.2 anteriores a fix pack 5, los tokens de restablecimiento de contrase\u00f1a no son invalidados despu\u00e9s de que un usuario cambie su contrase\u00f1a, lo que permite a atacantes remotos cambiar la contrase\u00f1a del usuario por medio del antiguo token de restablecimiento de contrase\u00f1a"
}
],
"id": "CVE-2021-33322",
"lastModified": "2024-11-21T06:08:41.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.623",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16981"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-16981"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 13:15
Modified
2025-01-28 21:35
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB1BD676-9B8D-44B0-9EAA-777EC43859DB",
"versionEndIncluding": "7.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07B40276-6D4F-49A5-AB91-D3BD7B8000C9",
"versionEndExcluding": "7.4.3.16",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "F2B55C77-9FAA-4E14-8CEF-9C4CAC804007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "54E499E6-C747-476B-BFE2-C04D9F8744F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "43F61E2F-4643-4D5D-84DB-7B7B6E93C67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "8B057D81-7589-4007-9A0D-2D302B82F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "6F0F2558-6990-43D7-9FE2-8E99D81B8269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "11072673-C3AB-42EA-A26F-890DEE903D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "134560B0-9746-4EC3-8DE3-26E53E2CAC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "71E41E59-D71F-48F0-812B-39D59F81997B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*",
"matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*",
"matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*",
"matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*",
"matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*",
"matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*",
"matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*",
"matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*",
"matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*",
"matchCriteriaId": "10B863B8-201D-494C-8175-168820996174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*",
"matchCriteriaId": "CBF766CE-CBB8-472A-BAF0-BD39A7BCB4DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*",
"matchCriteriaId": "182FAA46-D9FB-4170-B305-BAD0DF6E5DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*",
"matchCriteriaId": "DF1BB9E6-D690-4C12-AEF0-4BD712869CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*",
"matchCriteriaId": "653A0452-070F-4312-B94A-F5BCB01B9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*",
"matchCriteriaId": "15B67345-D0AF-4BFD-A62D-870F75306A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*",
"matchCriteriaId": "DE1F4262-A054-48CC-BF1D-AA77A94FFFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*",
"matchCriteriaId": "D176CECA-2821-49EA-86EC-1184C133C0A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system\u0027s temp folder by modifying the `maxFileSize` parameter."
},
{
"lang": "es",
"value": "El m\u00f3dulo Image Uploader en Liferay Portal 7.2.0 a 7.4.3.15 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 16, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 19 y versiones anteriores no compatibles se basa en un par\u00e1metro de solicitud para limitar el tama\u00f1o de los archivos que se pueden cargar, lo que permite a los usuarios autenticados remotamente cargar archivos arbitrariamente grandes a la carpeta temporal del sistema modificando el par\u00e1metro `maxFileSize`."
}
],
"id": "CVE-2024-26265",
"lastModified": "2025-01-28T21:35:11.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T13:15:08.673",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-16 15:15
Modified
2024-11-21 06:00
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | 7.3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2C673509-5436-44DF-AFCE-BE5C3188D62F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Asset module\u0027s categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site scripting (XSS) en la p\u00e1gina de administraci\u00f3n de categor\u00edas del m\u00f3dulo Asset en Liferay Portal versi\u00f3n 7.3.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios por medio del nombre del sitio"
}
],
"id": "CVE-2021-29039",
"lastModified": "2024-11-21T06:00:34.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-16T15:15:07.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-24 16:15
Modified
2024-11-21 08:06
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | digital_experience_platform | 7.4 | |
| liferay | liferay_portal | 7.4.3.67 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*",
"matchCriteriaId": "960F3F22-9CC8-4655-9B09-777E5A5A1239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.4.3.67:*:*:*:*:*:*:*",
"matchCriteriaId": "6604D03B-8134-40FE-AEAF-41F77E5570DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL."
}
],
"id": "CVE-2023-33948",
"lastModified": "2024-11-21T08:06:16.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@liferay.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-24T16:15:10.007",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@liferay.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/brianchandotcom/liferay-portal/pull/49833 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/brianchandotcom/liferay-portal/pull/49833 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| liferay | liferay_portal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:ga3:*:*:*:*:*:*",
"matchCriteriaId": "2EF349F1-9D4E-41AD-8C60-3E69F4141B75",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Liferay Portal en versiones anteriores a la 7.0 CE GA4 mediante un nombre de inicio de sesi\u00f3n, contrase\u00f1a o direcci\u00f3n de email."
}
],
"id": "CVE-2017-12646",
"lastModified": "2024-11-21T03:09:57.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T16:29:00.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/49833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/brianchandotcom/liferay-portal/pull/49833"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-16 16:15
Modified
2024-11-21 06:00
Severity ?
Summary
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78032EA3-6397-41E7-9757-5A1D86538B09",
"versionEndExcluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "43A92274-7D88-4F0F-8265-CF862011F27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "4874012D-52AA-4C32-95E9-BD331225B4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "21CAF86F-CEC9-44EE-BAF8-0F7AF9D945F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_24:*:*:*:*:*:*",
"matchCriteriaId": "EF6C9F29-EEFF-4737-BD50-58572D6C14E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_25:*:*:*:*:*:*",
"matchCriteriaId": "D24E1FA0-BD94-4AFC-92BF-AEDEBC7DCF4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_26:*:*:*:*:*:*",
"matchCriteriaId": "FF9B54EE-973B-44B4-8EA2-B58FA49AC561",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_27:*:*:*:*:*:*",
"matchCriteriaId": "A9637223-557D-474B-A46B-D276866376C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_28:*:*:*:*:*:*",
"matchCriteriaId": "F6306F9C-99DE-4F94-8E7F-6747762BEC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_3\\+:*:*:*:*:*:*",
"matchCriteriaId": "2DFF08F0-77C1-43A0-B7DD-9B905BE074EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_30:*:*:*:*:*:*",
"matchCriteriaId": "48B7015C-26B9-453E-B3CF-9B220D3A8024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_33:*:*:*:*:*:*",
"matchCriteriaId": "0FEB6921-3C45-4B7E-8B34-CDC34984583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_35:*:*:*:*:*:*",
"matchCriteriaId": "525F45DC-2E5C-46A8-AEDF-9D6B8FA2EB11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_36:*:*:*:*:*:*",
"matchCriteriaId": "55755D0C-4C0C-42D9-BE5E-5D33C8BA4C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_39:*:*:*:*:*:*",
"matchCriteriaId": "FB4FE0F9-EB19-45D7-A953-674629D951F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_40:*:*:*:*:*:*",
"matchCriteriaId": "22E4B63F-01A9-4F85-92BC-A51F41BE4121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_41:*:*:*:*:*:*",
"matchCriteriaId": "23BE441D-8770-4F4D-86CD-4E53161F54FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_42:*:*:*:*:*:*",
"matchCriteriaId": "E14FF010-3907-4C79-B945-C792E446CB31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_43:*:*:*:*:*:*",
"matchCriteriaId": "B97B5817-B55E-485D-9747-3A50CF7245C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_44:*:*:*:*:*:*",
"matchCriteriaId": "19EBD671-56BD-45D3-9248-DAF3F47B36FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_45:*:*:*:*:*:*",
"matchCriteriaId": "93EDC2A1-9622-44DB-ABA8-754D61B60787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_46:*:*:*:*:*:*",
"matchCriteriaId": "B4B6A06D-C323-431C-9A65-4FD6A6E4CAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_47:*:*:*:*:*:*",
"matchCriteriaId": "EE6D4466-1C3A-4D5A-A65C-A30A87EADF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_48:*:*:*:*:*:*",
"matchCriteriaId": "4F0BC40A-8E13-4665-A2E4-F5815CA70E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_49:*:*:*:*:*:*",
"matchCriteriaId": "11FB69C3-7755-495A-AB76-201AF4D9623B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_50:*:*:*:*:*:*",
"matchCriteriaId": "FF66F652-6C08-4D47-865D-36E70360B632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_51:*:*:*:*:*:*",
"matchCriteriaId": "17B68D59-0509-4C6A-B803-03A02EB76F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_52:*:*:*:*:*:*",
"matchCriteriaId": "8F69B287-3B86-4B64-BCB4-40E9495A628D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_53:*:*:*:*:*:*",
"matchCriteriaId": "C627090E-A1BF-4332-9538-EE4E184DB65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_54:*:*:*:*:*:*",
"matchCriteriaId": "9A089471-9944-4C75-A25F-1F23C18C0CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_56:*:*:*:*:*:*",
"matchCriteriaId": "B90E7FBF-6B5B-457A-8B20-ECA69A626BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_57:*:*:*:*:*:*",
"matchCriteriaId": "1975C1AB-EF50-42E2-9879-17FB763B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_58:*:*:*:*:*:*",
"matchCriteriaId": "DFB7BB13-773B-47A6-A001-B9EBA46C917E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_59:*:*:*:*:*:*",
"matchCriteriaId": "1C4A2D39-3725-4E80-9F3F-AC1F4EE662E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_60:*:*:*:*:*:*",
"matchCriteriaId": "BAEDF88B-B9C8-4891-B199-A72C066FC7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_61:*:*:*:*:*:*",
"matchCriteriaId": "F768E1DD-3DC6-4783-82DE-D089C7CD3C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_64:*:*:*:*:*:*",
"matchCriteriaId": "426EDA92-FE5A-4523-8AAE-1E5D5D67F535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_65:*:*:*:*:*:*",
"matchCriteriaId": "070CB609-6D4B-4817-9F91-00BD62423E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_66:*:*:*:*:*:*",
"matchCriteriaId": "FEE87846-A4CF-47E5-93AA-5D7E2548D28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_67:*:*:*:*:*:*",
"matchCriteriaId": "A4C11B0E-6D94-4A65-83BE-1E5828710CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_68:*:*:*:*:*:*",
"matchCriteriaId": "F1DC73B1-4017-424F-A28D-F54F2FA8ED8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_69:*:*:*:*:*:*",
"matchCriteriaId": "32B4FD3C-7BB7-4DA2-9A3A-05A6370B9745",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_70:*:*:*:*:*:*",
"matchCriteriaId": "71293E5B-4DCC-47BC-A493-3540D57E6067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_71:*:*:*:*:*:*",
"matchCriteriaId": "56A8940B-318E-4C6A-9131-A50E90E82C28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_72:*:*:*:*:*:*",
"matchCriteriaId": "F09B5E82-DC18-4B07-9A05-E433579B4FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_73:*:*:*:*:*:*",
"matchCriteriaId": "CE25D189-2D6F-4229-BF09-2CEA0A6C5D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_75:*:*:*:*:*:*",
"matchCriteriaId": "36549BE5-DEDB-408A-BFC9-AB00031D45DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_76:*:*:*:*:*:*",
"matchCriteriaId": "E11B8075-4212-41CB-85AC-09FA1CDB86A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_78:*:*:*:*:*:*",
"matchCriteriaId": "80412DCE-D79F-492A-8788-6A43C4D76D7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_79:*:*:*:*:*:*",
"matchCriteriaId": "BC7A939F-21D1-4AF1-BAB9-E91DFCFFB7A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_80:*:*:*:*:*:*",
"matchCriteriaId": "5F2240FC-EDDC-47F5-B713-07FF2D23CE00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_81:*:*:*:*:*:*",
"matchCriteriaId": "5006AAE4-B154-468A-850C-20171965E2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_82:*:*:*:*:*:*",
"matchCriteriaId": "1541072D-3F14-47A2-8A42-EF2765643AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_83:*:*:*:*:*:*",
"matchCriteriaId": "2340C85F-0296-4591-8D23-56634C50C5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_84:*:*:*:*:*:*",
"matchCriteriaId": "6BEC3C5C-DA8C-4620-A38E-BB47D4CB7CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_85:*:*:*:*:*:*",
"matchCriteriaId": "6DD38B1F-7EEA-4DB5-A31B-D84DC33313FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_86:*:*:*:*:*:*",
"matchCriteriaId": "FC923A9E-CF9D-44DE-AB58-7BCAAFDDE7D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_87:*:*:*:*:*:*",
"matchCriteriaId": "65542031-04E1-485F-8102-04CB65865ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_88:*:*:*:*:*:*",
"matchCriteriaId": "B36F2FBD-E949-4608-9ECF-0F05DD8E487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_89:*:*:*:*:*:*",
"matchCriteriaId": "D68832F1-6D71-4A63-AA8A-86C0EDF9F8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_90:*:*:*:*:*:*",
"matchCriteriaId": "FD1F579A-084C-46A9-ADCA-8F3FA45D85D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_91:*:*:*:*:*:*",
"matchCriteriaId": "FC81C494-F68E-4580-87FB-7792C1080DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_92:*:*:*:*:*:*",
"matchCriteriaId": "6693594D-6731-4223-8C28-4873746B97AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_93:*:*:*:*:*:*",
"matchCriteriaId": "0B96CDC5-F4DE-49A2-B09D-318163EC9A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_94:*:*:*:*:*:*",
"matchCriteriaId": "EEAE13AF-DEEE-4284-A93D-EFE2647E12FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_95:*:*:*:*:*:*",
"matchCriteriaId": "9EEADDC3-C436-452F-9271-8F30A9D03FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.0:fix_pack_96:*:*:*:*:*:*",
"matchCriteriaId": "A775E68D-A18E-433F-A9D0-AB6E71495936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C2AA7E18-A41B-4F0D-A04F-57C5745D091B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "392B783D-620D-4C71-AAA0-848B16964A27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "4F5A94E2-22B7-4D2D-A491-29F395E727C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "E9B10908-C42B-4763-9D47-236506B0E84A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "CF544435-36AC-49B8-BA50-A6B6D1678BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "9D265542-5333-4CCD-90E5-B5F6A55F9863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "1763CD8B-3ACD-4617-A1CA-B9F77A074977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "F25C66AA-B60D-413C-A848-51E12D6080AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "071A0D53-EC95-4B18-9FA3-55208B1F7B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "CC26A9D4-14D6-46B1-BB00-A2C4386EBCA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_18:*:*:*:*:*:*",
"matchCriteriaId": "350CDEDA-9A20-4BC3-BEAE-8346CED10CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_19:*:*:*:*:*:*",
"matchCriteriaId": "10C6107E-79B3-4672-B3E5-8A2FA9A829CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "3233D306-3F8E-40A4-B132-7264E63DD131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "9EAEA45A-0370-475E-B4CB-395A434DC3A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "39310F05-1DB6-43BA-811C-9CB91D6DCF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "D6135B16-C89E-4F49-BA15-823E2AF26D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC887BEC-915B-44AC-B473-5448B3D8DCF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "D7A7CC60-C294-41EC-B000-D15AAA93A3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "022132F8-6E56-4A29-95D6-3B7861D39CDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "651DA9B7-9C11-47A7-AF5C-95625C8FFF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5513FCC4-B6FB-4C86-81E6-05059FCD8DEB",
"versionEndIncluding": "7.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs."
},
{
"lang": "es",
"value": "Los servicios web JSON en Liferay Portal versiones 7.3.4 y anteriores, y Liferay DXP versiones 7.0 anteriores al fixpack 97, versiones 7.1 anteriores al fixpack 20 y versiones 7.2 anteriores al fixpack 10, pueden proporcionar mensajes de error demasiado detallados, lo que permite a atacantes remotos usar el contenido del error de mensajes para ayudar a lanzar otros ataques m\u00e1s enfocados por medio de entradas dise\u00f1adas"
}
],
"id": "CVE-2021-29040",
"lastModified": "2024-11-21T06:00:34.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-16T16:15:07.213",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://liferay.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743429"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-22 18:15
Modified
2024-11-21 05:06
Severity ?
Summary
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "072F6C59-3D86-48D1-A14E-477FFFA3B1D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "FE68B4A2-3459-4DBA-8BAC-E9AA9FA25264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "680D7963-1393-4E86-A65F-D4463D532120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "D81E73DD-FD21-4082-A883-34422AE6C024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "E6DD0451-98EA-4140-8294-77A14F063E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "CE94E76B-8CC2-4E91-B7A3-EEBCC1358FF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "408BD438-E15C-422F-9612-C62A7387FC63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "A78C8B1C-39CB-4C27-B57C-0AF5E7EB50D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_17:*:*:*:*:*:*",
"matchCriteriaId": "0AB19E97-BACE-4FCC-A53F-078D61A7A9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "386F0E26-78DC-4D59-A20F-B41D0E59561B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "54576481-2AE9-4133-9EFA-B7FBDCA4427D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "E29CE810-76D5-4283-B102-70344B6C9506",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "DA869467-C560-4130-A180-86819F6A8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "CC0C94B7-31FB-4115-8EDE-62CC459B6663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "07DEAA71-53DA-4508-B7E6-924ABED49E66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "467323F6-5CA7-42A0-9810-C6FA694CEC93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "32EFFD8A-1C0D-446B-AAD7-5D23D483D3D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "58CE2C64-BC5F-4281-AD98-B2C4B24A949C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94896449-7A52-40D2-8E76-26DC60D7BA9A",
"versionEndExcluding": "7.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files."
},
{
"lang": "es",
"value": "Liferay Portal versiones anteriores a 7.3.3, y Liferay DXP versiones 7.1 anteriores a fixpack 18 y versiones 7.2 anteriores a fixpack 6, no reucir ataques de denegaci\u00f3n de servicio mediante la carga de archivos grandes"
}
],
"id": "CVE-2020-15839",
"lastModified": "2024-11-21T05:06:17.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-22T18:15:23.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17029"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17055"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.liferay.com/browse/LPE-17055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}