This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Liferay First view 2014-07-10
Product Liferay Portal Last view 2020-09-01
Version 6.1.x_ee Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:liferay:liferay_portal

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2020-09-01 CVE-2020-24554

The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.

8.1 2020-07-20 CVE-2020-15842

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

8.8 2020-07-20 CVE-2020-15841

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

9.8 2020-03-20 CVE-2020-7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

5.4 2020-01-28 CVE-2020-7934

In LifeRay Portal CE 7.1.0 through 7.2.1, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results).

6.1 2019-09-09 CVE-2019-16147

Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.

8.8 2018-05-07 CVE-2018-10795

** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files.

6.1 2018-01-02 CVE-2017-1000425

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

6.1 2017-08-07 CVE-2017-12649

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.

6.1 2017-08-07 CVE-2017-12648

XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.

6.1 2017-08-07 CVE-2017-12647

XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.

6.1 2017-08-07 CVE-2017-12646

XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.

6.1 2017-08-07 CVE-2017-12645

XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.

6.1 2017-08-07 CVE-2016-10404

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

8.8 2017-01-13 CVE-2010-5327

Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.

6.1 2016-06-13 CVE-2016-3670

Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.

3.5 2014-11-24 CVE-2014-8349

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.

4.3 2014-07-10 CVE-2014-2963

Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CWE : Common Weakness Enumeration

%idName
66% (12) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
11% (2) CWE-502 Deserialization of Untrusted Data
5% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
5% (1) CWE-522 Insufficiently Protected Credentials
5% (1) CWE-434 Unrestricted Upload of File with Dangerous Type
5% (1) CWE-264 Permissions, Privileges, and Access Controls