com.liferay.portal:release.dxp.bom
Maven120 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting com.liferay.portal:release.dxp.bompage 1 of 3
- CVE-2020-13444MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.2.10.fp72020-06-10
vulnerable: 7.2.1 ... 7.2.10.fp6 (9 versions)
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to ob…
- CVE-2020-13445HIGHCVSS 8.8EG 8.8✓ Fixed in 7.2.10.fp62020-06-10
vulnerable: 7.2.1 ... 7.2.10.fp5 (8 versions)
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execu…
- CVE-2020-15839MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.2.10.fp62020-09-22
vulnerable: 7.2.1 ... 7.2.10.fp5 (8 versions)
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by…
- CVE-2020-15840MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.2.10.fp72020-09-24
vulnerable: 7.2.1 ... 7.2.10.fp6 (9 versions)
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
- CVE-2020-15841HIGHCVSS 8.3EG 8.3✓ Fixed in 7.2.10.fp42020-07-20
vulnerable: 7.2.1 ... 7.2.10.fp3 (6 versions)
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password …
- CVE-2020-15842HIGHCVSS 8.1EG 8.1✓ Fixed in 7.2.10.fp52020-07-20
vulnerable: 7.2.1 ... 7.2.10.fp4 (7 versions)
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deser…
- CVE-2021-29038MEDIUMCVSS 6.3EG 6.3✓ Fixed in 7.3.10.fp12024-02-20
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attack…
- CVE-2021-29040MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.2.10.fp102021-05-16
vulnerable: 7.2.1 ... 7.2.10.fp9 (12 versions)
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the conten…
- CVE-2021-29041MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.3.10.fp12021-05-16
vulnerable: 7.0.10.14 ... 7.3.10.ep5 (125 versions)
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password…
- CVE-2021-29043MEDIUMCVSS 5.9EG 5.9✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows …
- CVE-2021-29044MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 bef…
- CVE-2021-29045MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML v…
- CVE-2021-29046MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay…
- CVE-2021-29047HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.10.fp12021-05-16
vulnerable: 7.0.10.14 ... 7.3.10.ep5 (125 versions)
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA …
- CVE-2021-29048MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script…
- CVE-2021-29049MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-06-09
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject a…
- CVE-2021-29050HIGHCVSS 8.8EG 8.8✓ Fixed in 7.2.10.fp112024-02-20
vulnerable: 7.2.1 ... 7.2.10.fp9 (13 versions)
Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social…
- CVE-2021-29051MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to i…
- CVE-2021-29052MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.0.10.14 ... 7.3.10.ep5 (125 versions)
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authent…
- CVE-2021-29053HIGHCVSS 8.8EG 8.8✓ Fixed in 7.3.10.fp12021-05-17
vulnerable: 7.0.10.14 ... 7.3.10.ep5 (125 versions)
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC…
- CVE-2021-33320MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.2.10.fp52021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp4 (7 versions)
The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote …
- CVE-2021-33322HIGHCVSS 7.5EG 7.5✓ Fixed in 7.2.10.fp52021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp4 (7 versions)
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to…
- CVE-2021-33323HIGHCVSS 7.5EG 7.5✓ Fixed in 7.2.10.fp72021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp6 (9 versions)
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved …
- CVE-2021-33324MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.2.10.fp52021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp4 (7 versions)
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a p…
- CVE-2021-33325MEDIUMCVSS 4.9EG 4.9✓ Fixed in 7.2.10.fp72021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp6 (9 versions)
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for us…
- CVE-2021-33326MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp92021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp8 (11 versions)
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary w…
- CVE-2021-33327MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.2.10.fp82021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp7 (10 versions)
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated use…
- CVE-2021-33328MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.2.10.fp92021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp8 (11 versions)
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers t…
- CVE-2021-33331MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp82021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp7 (10 versions)
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary…
- CVE-2021-33332MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp72021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp6 (9 versions)
Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script o…
- CVE-2021-33333MEDIUMCVSS 6.3EG 6.3✓ Fixed in 7.2.10.fp62021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp5 (8 versions)
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to v…
- CVE-2021-33334MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.2.10.fp62021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp5 (8 versions)
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with …
- CVE-2021-33335HIGHCVSS 7.2EG 7.2✓ Fixed in 7.2.10.fp92021-08-03
vulnerable: 7.2.1 ... 7.2.10.fp8 (11 versions)
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company admin…
- CVE-2021-33336MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.2.10.fp72021-08-04
vulnerable: 7.2.10.fp5, 7.2.10.fp6
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script …
- CVE-2021-33337MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp92021-08-04
vulnerable: 7.2.1 ... 7.2.10.fp8 (11 versions)
Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitra…
- CVE-2021-33338HIGHCVSS 7.5EG 7.5✓ Fixed in 7.2.10.fp62021-08-04
vulnerable: 7.2.1 ... 7.2.10.fp5 (8 versions)
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site…
- CVE-2021-33339MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.2.10.fp92021-08-04
vulnerable: 7.2.1 ... 7.2.10.fp8 (11 versions)
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web…
- CVE-2021-38263MEDIUMCVSS 6.1EG 6.12022-03-03
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to injec…
- CVE-2021-38265MEDIUMCVSS 5.4EG 5.42022-03-03
vulnerable: 7.0.10.14 ... 7.2.10.fp9 (121 versions)
Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_As…
- CVE-2021-38266HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.0-ga12022-03-02
vulnerable: 7.0.10.14 ... 7.2.10.fp9 (121 versions)
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a …
- CVE-2021-38267MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.10.fp22022-03-03
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5, 7.3.10.fp1
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_li…
- CVE-2021-38268MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.3.10.fp22022-03-02
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5, 7.3.10.fp1
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members,…
- CVE-2021-38269MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.10.fp22022-03-03
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5, 7.3.10.fp1
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject …
- CVE-2022-25146MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.13.u52022-03-03
vulnerable: 7.0.10.14 ... 7.4.13.u4 (175 versions)
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exf…
- CVE-2022-26593MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.10.fp32022-04-19
vulnerable: 7.3.10 ... 7.3.10.fp2 (6 versions)
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via th…
- CVE-2022-26594MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp32022-04-15
vulnerable: 7.3.10 ... 7.3.10.fp2 (6 versions)
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms mo…
- CVE-2022-26595MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.3.10.fp22022-04-19
vulnerable: 7.3.10, 7.3.10.ep3, 7.3.10.ep4, 7.3.10.ep5, 7.3.10.fp1
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the…
- CVE-2022-26596MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp82022-04-25
vulnerable: 7.2.1 ... 7.2.10.fp7 (10 versions)
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows re…
- CVE-2022-26597MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.10.fp32022-04-25
vulnerable: 7.3.10 ... 7.3.10.fp2 (6 versions)
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the …
- CVE-2022-28977MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.2.10.fp142022-09-22
vulnerable: 7.2.10.fp10 ... 7.2.10.fp9 (9 versions)
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward …
Check whether com.liferay.portal:release.dxp.bom is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.liferay.portal:release.dxp.bom CVEs against the assets you own.
Start Free Scan →