Search
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33335 | 1 Liferay | 2 Dxp, Liferay Portal | 2022-07-12 | 6.5 MEDIUM | 7.2 HIGH |
| Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user. | |||||
| CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | |||||
| CVE-2021-33322 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
| CVE-2021-33323 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user. | |||||
| CVE-2021-33338 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 5.1 MEDIUM | 7.5 HIGH |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | |||||
| CVE-2020-15841 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-07-21 | 4.3 MEDIUM | 8.8 HIGH |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. | |||||
| CVE-2021-29053 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-05-24 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. | |||||
| CVE-2021-29047 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer. | |||||
| CVE-2020-15842 | 1 Liferay | 2 Dxp, Liferay Portal | 2020-07-24 | 6.8 MEDIUM | 8.1 HIGH |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | |||||