Filtered by vendor Liferay
Subscriptions
Filtered by product Liferay Portal
Subscriptions
Total
143 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-12649 | 1 Liferay | 1 Liferay Portal | 2024-09-17 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display. | ||||
| CVE-2011-1503 | 3 Liferay, Linux, Microsoft | 3 Liferay Portal, Linux Kernel, Windows 7 | 2024-09-17 | N/A |
| The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL. | ||||
| CVE-2011-1571 | 1 Liferay | 1 Liferay Portal | 2024-09-17 | N/A |
| Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors. | ||||
| CVE-2017-12648 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL. | ||||
| CVE-2011-1570 | 2 Liferay, Microsoft | 2 Liferay Portal, Windows 7 | 2024-09-16 | N/A |
| Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030. | ||||
| CVE-2009-3742 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter. | ||||
| CVE-2016-10404 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp. | ||||
| CVE-2017-12645 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId. | ||||
| CVE-2017-12646 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address. | ||||
| CVE-2011-1502 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. | ||||
| CVE-2017-12647 | 1 Liferay | 1 Liferay Portal | 2024-09-16 | N/A |
| XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title. | ||||
| CVE-2023-42497 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-09-13 | 9.6 Critical |
| Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter. | ||||
| CVE-2023-44309 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-09-13 | 9 Critical |
| Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset. | ||||
| CVE-2023-44310 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-09-13 | 9 Critical |
| Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field. | ||||
| CVE-2023-44311 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-09-13 | 9.6 Critical |
| Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941. | ||||
| CVE-2023-47797 | 1 Liferay | 1 Liferay Portal | 2024-08-29 | 9.6 Critical |
| Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter. | ||||
| CVE-2024-25145 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-08-22 | 9.6 Critical |
| Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application. | ||||
| CVE-2024-25148 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-08-21 | 5.4 Medium |
| In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content. | ||||
| CVE-2010-5327 | 1 Liferay | 1 Liferay Portal | 2024-08-07 | N/A |
| Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template. | ||||
| CVE-2014-8349 | 1 Liferay | 1 Liferay Portal | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file. | ||||