Maven package
com.liferay.portal/release.portal.bom
pkg:maven/com.liferay.portal/release.portal.bom
Vulnerabilities (159)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-29040 | — | < 7.3.5 | 7.3.5 | May 16, 2021 | The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch anoth | ||
| CVE-2021-29039 | — | >= 7.3.4, < 7.3.5 | 7.3.5 | May 16, 2021 | Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name. | ||
| CVE-2020-25476 | — | <= 7.1.3 | — | Jan 7, 2021 | Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious paylo | ||
| CVE-2020-15840 | — | < 7.3.1 | 7.3.1 | Sep 24, 2020 | In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs. | ||
| CVE-2020-24554 | — | < 7.3.3 | 7.3.3 | Sep 1, 2020 | The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. | ||
| CVE-2020-15842 | — | < 7.3.0 | 7.3.0 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||
| CVE-2020-15841 | — | < 7.3.0 | 7.3.0 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. | ||
| CVE-2020-13444 | — | >= 7.0.0, < 7.3.2 | 7.3.2 | Jun 10, 2020 | Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | ||
| CVE-2020-13445 | — | < 7.3.2 | 7.3.2 | Jun 10, 2020 | In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker | ||
| CVE-2020-7934 | — | >= 7.1.0, < 7.3.0 | 7.3.0 | Jan 28, 2020 | In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the databas | ||
| CVE-2019-16891 | — | < 7.1.1 | 7.1.1 | Oct 4, 2019 | Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | ||
| CVE-2019-6588 | — | < 7.1.0 | 7.1.0 | Jun 3, 2019 | In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Por | ||
| CVE-2017-1000425 | — | < 7.1.0-a1 | 7.1.0-a1 | Jan 2, 2018 | Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter. | ||
| CVE-2017-12649 | Med | 6.1 | < 7.0.3-ga4 | 7.0.3-ga4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display. | |
| CVE-2017-12648 | Med | 6.1 | < 7.0.3-GA4 | 7.0.3-GA4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL. | |
| CVE-2017-12647 | Med | 6.1 | < 7.0.3-ga4 | 7.0.3-ga4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title. | |
| CVE-2017-12646 | Med | 6.1 | < 7.0.3-GA4 | 7.0.3-GA4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address. | |
| CVE-2017-12645 | Med | 6.1 | < 7.0.3-ga4 | 7.0.3-ga4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId. | |
| CVE-2016-10404 | Med | 6.1 | < 7.0.3-ga4 | 7.0.3-ga4 | Aug 7, 2017 | XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp. |
- CVE-2021-29040May 16, 2021affected < 7.3.5fixed 7.3.5
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch anoth
- CVE-2021-29039May 16, 2021affected >= 7.3.4, < 7.3.5fixed 7.3.5
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
- CVE-2020-25476Jan 7, 2021affected <= 7.1.3
Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious paylo
- CVE-2020-15840Sep 24, 2020affected < 7.3.1fixed 7.3.1
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
- CVE-2020-24554Sep 1, 2020affected < 7.3.3fixed 7.3.3
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist.
- CVE-2020-15842Jul 20, 2020affected < 7.3.0fixed 7.3.0
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
- CVE-2020-15841Jul 20, 2020affected < 7.3.0fixed 7.3.0
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.
- CVE-2020-13444Jun 10, 2020affected >= 7.0.0, < 7.3.2fixed 7.3.2
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.
- CVE-2020-13445Jun 10, 2020affected < 7.3.2fixed 7.3.2
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker
- CVE-2020-7934Jan 28, 2020affected >= 7.1.0, < 7.3.0fixed 7.3.0
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the databas
- CVE-2019-16891Oct 4, 2019affected < 7.1.1fixed 7.1.1
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
- CVE-2019-6588Jun 3, 2019affected < 7.1.0fixed 7.1.0
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Por
- CVE-2017-1000425Jan 2, 2018affected < 7.1.0-a1fixed 7.1.0-a1
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
- affected < 7.0.3-ga4fixed 7.0.3-ga4
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.
- affected < 7.0.3-GA4fixed 7.0.3-GA4
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
- affected < 7.0.3-ga4fixed 7.0.3-ga4
XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.
- affected < 7.0.3-GA4fixed 7.0.3-GA4
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
- affected < 7.0.3-ga4fixed 7.0.3-ga4
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
- affected < 7.0.3-ga4fixed 7.0.3-ga4
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.
Page 8 of 8