Liferay

Liferay Portal

243 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2021-29039

  • EPSS 0.26%
  • Veröffentlicht 16.05.2021 15:15:07
  • Zuletzt bearbeitet 21.11.2024 06:00:34

Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.

6.1

CVE-2020-25476

  • EPSS 0.45%
  • Veröffentlicht 07.01.2021 17:15:12
  • Zuletzt bearbeitet 21.11.2024 05:18:02

Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own pr...

5.3

CVE-2020-15840

  • EPSS 0.19%
  • Veröffentlicht 24.09.2020 15:15:14
  • Zuletzt bearbeitet 13.05.2025 18:17:51

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

6.5

CVE-2020-15839

  • EPSS 1.08%
  • Veröffentlicht 22.09.2020 18:15:23
  • Zuletzt bearbeitet 21.11.2024 05:06:17

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading ...

7.5

CVE-2020-24554

  • EPSS 0.64%
  • Veröffentlicht 01.09.2020 14:15:12
  • Zuletzt bearbeitet 21.11.2024 05:14:58

The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exis...

8.8

CVE-2020-15841

  • EPSS 0.34%
  • Veröffentlicht 20.07.2020 02:15:11
  • Zuletzt bearbeitet 15.08.2025 20:21:27

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Tes...

8.1

CVE-2020-15842

  • EPSS 0.57%
  • Veröffentlicht 20.07.2020 02:15:11
  • Zuletzt bearbeitet 13.05.2025 18:17:51

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

6.5

CVE-2020-13444

  • EPSS 0.25%
  • Veröffentlicht 10.06.2020 19:15:09
  • Zuletzt bearbeitet 21.11.2024 05:01:16

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the pa...

8.8

CVE-2020-13445

Exploit
  • EPSS 3.71%
  • Veröffentlicht 10.06.2020 19:15:09
  • Zuletzt bearbeitet 21.11.2024 05:01:17

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrar...

9.8

CVE-2020-7961

Warnung Exploit
  • EPSS 94.35%
  • Veröffentlicht 20.03.2020 19:15:12
  • Zuletzt bearbeitet 07.11.2025 22:04:20

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).