Filtered by vendor Liferay
Subscriptions
Total
197 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-33323 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 7.5 High |
| The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user. | ||||
| CVE-2021-33324 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 4.3 Medium |
| The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration. | ||||
| CVE-2021-33325 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 4.9 Medium |
| The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password. | ||||
| CVE-2021-33330 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 4.3 Medium |
| Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token. | ||||
| CVE-2021-33331 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.1 Medium |
| Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter. | ||||
| CVE-2021-33332 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter. | ||||
| CVE-2021-33333 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.3 Medium |
| The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs. | ||||
| CVE-2021-33335 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 7.2 High |
| Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user. | ||||
| CVE-2021-33336 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter. | ||||
| CVE-2021-33337 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | ||||
| CVE-2021-33338 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 7.5 High |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | ||||
| CVE-2021-33339 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 4.8 Medium |
| Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter. | ||||
| CVE-2022-28978 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 5.4 Medium |
| Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name. | ||||
| CVE-2022-28979 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 6.1 Medium |
| Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. | ||||
| CVE-2022-42111 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 5.4 Medium |
| A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. | ||||
| CVE-2022-42112 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 5.4 Medium |
| A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. | ||||
| CVE-2022-42121 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 8.8 High |
| A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. | ||||
| CVE-2024-25144 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 4.1 Medium |
| The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame. | ||||
| CVE-2024-25145 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 9.6 Critical |
| Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application. | ||||
| CVE-2022-42118 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 6.1 Medium |
| A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. | ||||