This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Liferay First view 2010-01-07
Product Liferay Portal Last view 2020-09-24
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:liferay:liferay_portal:4.1.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.1.0:*:*:enterprise:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:*:*:enterprise:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.1.1:*:*:enterprise:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.2.3:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:1.7.5:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:1.8.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:1.9.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:1.9.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:1.9.5:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.0.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.0.3:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.1.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.1.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.2.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.2.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:2.2.5:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.0.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.1.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.2.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.5.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.6.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:3.6.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.0.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.0.0:rc1:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.0.0:rc2:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.1.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.1.2:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.1.3:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.2.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.2.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.2.2:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.0:rc1:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.0:rc2:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.2:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.3:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.4:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.5:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.3.6:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.4.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.4.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:4.4.2:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.0.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.0.0:rc1:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.1.0:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.1.0:rc1:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.1.1:*:*:*:*:*:*:* 26
cpe:2.3:a:liferay:liferay_portal:5.1.2:*:*:*:*:*:*:* 26

Related : CVE

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.3 2020-09-24 CVE-2020-15840

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

6.5 2020-09-22 CVE-2020-15839

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.

7.5 2020-09-01 CVE-2020-24554

The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.

8.1 2020-07-20 CVE-2020-15842

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

8.8 2020-07-20 CVE-2020-15841

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

8.8 2020-06-10 CVE-2020-13445

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.

6.5 2020-06-10 CVE-2020-13444

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

9.8 2020-03-20 CVE-2020-7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

5.4 2020-01-28 CVE-2020-7934

In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.

8.8 2019-10-04 CVE-2019-16891

Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.

6.1 2019-09-09 CVE-2019-16147

Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.

4.7 2019-06-03 CVE-2019-6588

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call or . Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

7.2 2019-04-22 CVE-2019-11444

** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

8.8 2018-05-07 CVE-2018-10795

** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files.

6.1 2018-01-02 CVE-2017-1000425

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

6.1 2017-12-27 CVE-2017-17868

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.

6.1 2017-08-07 CVE-2017-12649

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.

6.1 2017-08-07 CVE-2017-12648

XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.

6.1 2017-08-07 CVE-2017-12647

XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.

6.1 2017-08-07 CVE-2017-12646

XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.

6.1 2017-08-07 CVE-2017-12645

XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.

6.1 2017-08-07 CVE-2016-10404

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

8.8 2017-01-13 CVE-2010-5327

Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.

6.1 2016-06-13 CVE-2016-3670

Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.

3.5 2014-11-24 CVE-2014-8349

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.

CWE : Common Weakness Enumeration

%idName
59% (16) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
11% (3) CWE-502 Deserialization of Untrusted Data
7% (2) CWE-434 Unrestricted Upload of File with Dangerous Type
7% (2) CWE-200 Information Exposure
3% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
3% (1) CWE-522 Insufficiently Protected Credentials
3% (1) CWE-264 Permissions, Privileges, and Access Controls
3% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...

Open Source Vulnerability Database (OSVDB)

id Description
73652 Liferay Portal Community Edition XSL Content Portlet Unspecified Remote Code ...
73651 Liferay Portal Community Edition Message Title XSS
73649 Liferay Portal Community Edition XSL Content Portlet file:/// URL Arbitrary F...
73648 Liferay Portal Community Edition XML External Entity Declaration / Reference ...
61511 Liferay Portal Control Panel Plugins Configuration p_p_id Parameter XSS

Nessus® Vulnerability Scanner

id Description
2012-05-22 Name: The remote web server contains a Java application that is affected by multipl...
File: liferay_6_0_6.nasl - Type: ACT_GATHER_INFO