Filtered by vendor Liferay
Subscriptions
Total
158 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-15839 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2020-09-30 | 6.5 Medium |
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. | ||||
CVE-2020-24554 | 1 Liferay | 1 Liferay Portal | 2020-09-08 | 7.5 High |
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. | ||||
CVE-2020-15842 | 1 Liferay | 2 Dxp, Liferay Portal | 2020-07-24 | 8.1 High |
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||||
CVE-2020-13444 | 1 Liferay | 1 Liferay Portal | 2020-07-16 | 6.5 Medium |
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | ||||
CVE-2019-16147 | 1 Liferay | 1 Liferay Portal | 2019-09-10 | 6.1 Medium |
Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib. | ||||
CVE-2019-6588 | 1 Liferay | 1 Liferay Portal | 2019-06-12 | N/A |
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable. | ||||
CVE-2007-6173 | 1 Liferay | 1 Liferay Enterprise Portal | 2018-10-15 | N/A |
Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Enterprise Portal 4.3.1 allows remote attackers to inject arbitrary web script or HTML via the emailAddress parameter in a Send New Password action, a different vector than CVE-2007-6055. NOTE: some of these details are obtained from third party information. | ||||
CVE-2007-6055 | 1 Liferay | 1 Portal | 2018-10-15 | N/A |
Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Portal 4.1.0 and 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the login parameter. NOTE: this issue reportedly exists because of a regression that followed a fix at an unspecified earlier date. | ||||
CVE-2009-1294 | 2 Liferay, Novell | 2 Liferay Enterprise Portal, Teaming | 2018-10-10 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home in the Liferay 4.3.0 portal in Novell Teaming 1.0 through SP3 (1.0.3) allow remote attackers to inject arbitrary web script or HTML via the (1) p_p_state or (2) p_p_mode parameters. | ||||
CVE-2017-1000425 | 1 Liferay | 1 Liferay Portal | 2018-03-29 | N/A |
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter. | ||||
CVE-2017-17868 | 1 Liferay | 1 Liferay Portal | 2018-01-09 | N/A |
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag. | ||||
CVE-2004-2030 | 1 Liferay | 1 Liferay Enterprise Portal | 2017-07-11 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the message subject. | ||||
CVE-2016-6517 | 1 Liferay | 1 Liferay | 2017-01-26 | N/A |
Directory traversal vulnerability in Liferay 5.1.0 allows remote attackers to have unspecified impact via a %2E%2E (encoded dot dot) in the minifierBundleDir parameter to barebone.jsp. | ||||
CVE-2010-5327 | 1 Liferay | 1 Liferay Portal | 2017-01-17 | N/A |
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template. | ||||
CVE-2016-3670 | 1 Liferay | 1 Liferay Portal | 2016-06-20 | N/A |
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field. | ||||
CVE-2014-8349 | 1 Liferay | 1 Liferay Portal | 2015-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file. | ||||
CVE-2014-2963 | 1 Liferay | 1 Liferay Portal | 2014-07-10 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter. | ||||
CVE-2005-4400 | 1 Liferay | 1 Liferay Portal Enterprise | 2008-09-20 | N/A |
Cross-site scripting (XSS) vulnerability in downloads/portal_ent in Liferay Portal Enterprise 3.6.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) _77_struts_action, (2) p_p_mode, and (3) p_p_state parameters. |