Liferay Portal

liferay_portal

Vendor: Liferay • 319 CVEs

CVEs (319)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-29046 1Liferay 2Dxp Liferay Portal Nov 21, 2024 May 17, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML v...Show more Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.Show less
CVE-2021-29045 1Liferay 2Dxp Liferay Portal Nov 21, 2024 May 17, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary w...Show more Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.Show less
CVE-2021-29044 1Liferay 3Digital Experience Platform DxpLiferay Portal May 13, 2025 May 17, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix...Show more Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.Show less
CVE-2021-29043 1Liferay 3Digital Experience Platform DxpLiferay Portal May 13, 2025 May 17, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy pass...Show more The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.Show less
CVE-2021-29047 1Liferay 2Dxp Liferay Portal Nov 21, 2024 May 16, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions prot...Show more The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.Show less
CVE-2021-29040 1Liferay 2Digital Experience Platform Liferay Portal May 13, 2025 May 16, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attacker...Show more The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.Show less
CVE-2021-29039 1Liferay 1Liferay Portal Nov 21, 2024 May 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2020-25476 1Liferay 1Liferay Portal Nov 21, 2024 Jan 7, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname o...Show more Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.Show less
CVE-2020-15840 1Liferay 2Digital Experience Platform Liferay Portal May 13, 2025 Sep 24, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
CVE-2020-15839 1Liferay 2Digital Experience Platform Liferay Portal Nov 21, 2024 Sep 22, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of...Show more Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.Show less
CVE-2020-24554 1Liferay 1Liferay Portal Nov 21, 2024 Sep 1, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated reque...Show more The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.Show less
CVE-2020-15842 1Liferay 2Digital Experience Platform Liferay Portal May 13, 2025 Jul 20, 2020 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, becaus...Show more Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.Show less
CVE-2020-15841 1Liferay 2Digital Experience Platform Liferay Portal Aug 15, 2025 Jul 20, 2020 N/A· v4 8.8 HIGH· v3 4.3 MEDIUM· v2 Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP...Show more Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.Show less
CVE-2020-13445 1Liferay 1Liferay Portal Nov 21, 2024 Jun 10, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authentic...Show more In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.Show less
CVE-2020-13444 1Liferay 1Liferay Portal Nov 21, 2024 Jun 10, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authen...Show more Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.Show less
CVE-2020-7961 1Liferay 1Liferay Portal Nov 7, 2025 Mar 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
CVE-2020-7934 1Liferay 1Liferay Portal Nov 21, 2024 Jan 28, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a...Show more In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.Show less
CVE-2019-16891 1Liferay 1Liferay Portal Nov 21, 2024 Oct 4, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
CVE-2019-16147 1Liferay 1Liferay Portal Nov 21, 2024 Sep 9, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.
CVE-2019-6588 1Liferay 1Liferay Portal Nov 21, 2024 Jun 3, 2019 N/A· v4 4.7 MEDIUM· v3 2.6 LOW· v2 In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" />...Show more In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.Show less

Previous 1...12 13 141516 Next