Vulnerabilities (CVE)

Filtered by vendor Liferay Subscribe
Total 193 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-28979 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-27 N/A 6.1 MEDIUM
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
CVE-2022-39975 1 Liferay 2 Dxp, Liferay Portal 2025-05-27 N/A 4.3 MEDIUM
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
CVE-2022-28978 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-27 N/A 5.4 MEDIUM
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
CVE-2022-38512 1 Liferay 2 Dxp, Liferay Portal 2025-05-27 N/A 6.5 MEDIUM
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.
CVE-2022-28982 1 Liferay 2 Dxp, Liferay Portal 2025-05-27 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
CVE-2022-28981 1 Liferay 1 Liferay Portal 2025-05-27 N/A 7.5 HIGH
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
CVE-2022-28980 1 Liferay 2 Dxp, Liferay Portal 2025-05-27 N/A 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
CVE-2022-28977 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-27 N/A 6.1 MEDIUM
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
CVE-2022-38902 1 Liferay 2 Dxp, Liferay Portal 2025-05-15 N/A 5.4 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
CVE-2021-29040 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 5.0 MEDIUM 5.3 MEDIUM
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.
CVE-2022-42111 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-13 N/A 5.4 MEDIUM
A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload.
CVE-2024-25144 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-13 N/A 4.1 MEDIUM
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.
CVE-2021-29048 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-13 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
CVE-2021-33332 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter.
CVE-2021-29049 1 Liferay 2 Digital Experience Platform, Dxp 2025-05-13 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.
CVE-2021-33326 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.
CVE-2021-29044 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-13 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.
CVE-2021-33323 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 5.0 MEDIUM 7.5 HIGH
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
CVE-2020-15840 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 5.0 MEDIUM 5.3 MEDIUM
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
CVE-2021-33333 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 6.5 MEDIUM 6.3 MEDIUM
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.