Total
44 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-25146 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message. | |||||
CVE-2022-26597 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. | |||||
CVE-2022-26593 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category. | |||||
CVE-2020-15839 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. |