com.liferay.portal:release.portal.bom

Maven118 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting com.liferay.portal:release.portal.bompage 1 of 3

CVE-2016-10404MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-ga4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.
CVE-2017-1000425MEDIUMCVSS 6.1✓ Fixed in 7.1.0-a1
2018-01-02
vulnerable: 7.0.6, 7.0.6-1, 7.0.6-2
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
CVE-2017-12645MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-ga4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
CVE-2017-12646MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-GA4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
CVE-2017-12647MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-ga4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.
CVE-2017-12648MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-GA4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
CVE-2017-12649MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.3-ga4
2017-08-07
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.
CVE-2019-16891CRITICALCVSS 9.8EG 9.8✓ Fixed in 7.1.1
2019-10-04
vulnerable: 7.0.6, 7.0.6-1, 7.0.6-2, 7.1.0
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
CVE-2019-6588MEDIUMCVSS 4.7✓ Fixed in 7.1.0
2019-06-03
vulnerable: 7.0.6, 7.0.6-1, 7.0.6-2
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha…
CVE-2020-13444MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.3.2
2020-06-10
vulnerable: 7.0.6 ... 7.3.1-1 (15 versions)
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to ob…
CVE-2020-13445HIGHCVSS 8.8EG 8.8✓ Fixed in 7.3.2
2020-06-10
vulnerable: 7.0.6 ... 7.3.1-1 (15 versions)
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execu…
CVE-2020-15840MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.3.1
2020-09-24
vulnerable: 7.0.6 ... 7.3.0-1 (13 versions)
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
CVE-2020-15841HIGHCVSS 8.3EG 8.3✓ Fixed in 7.3.0
2020-07-20
vulnerable: 7.0.6 ... 7.2.1-1 (11 versions)
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password …
CVE-2020-15842HIGHCVSS 8.1EG 8.1✓ Fixed in 7.3.0
2020-07-20
vulnerable: 7.0.6 ... 7.2.1-1 (11 versions)
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deser…
CVE-2020-24554HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.3
2020-09-01
vulnerable: 7.0.6 ... 7.3.2-1 (17 versions)
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that …
CVE-2020-25476MEDIUMCVSS 6.1EG 6.1
2021-01-07
vulnerable: 7.2.0, 7.2.1
Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of…
CVE-2020-7934MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.0
2020-01-28
vulnerable: 7.1.0 ... 7.2.1-1 (8 versions)
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payl…
CVE-2021-29039MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.5
2021-05-16
vulnerable: 7.3.4
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2021-29040MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.3.5
2021-05-16
vulnerable: 7.0.6 ... 7.3.4 (20 versions)
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the conten…
CVE-2021-29043MEDIUMCVSS 5.9EG 5.9✓ Fixed in 7.3.6
2021-05-17
vulnerable: 7.0.6 ... 7.3.5 (21 versions)
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows …
CVE-2021-29044MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.6
2021-05-17
vulnerable: 7.0.6 ... 7.3.5 (21 versions)
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 bef…
CVE-2021-29045MEDIUMCVSS 6.1EG 6.1
2021-05-17
vulnerable: 7.3.2 ... 7.3.5 (6 versions)
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML v…
CVE-2021-29046MEDIUMCVSS 6.1EG 6.1
2021-05-17
vulnerable: 7.3.5
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay…
CVE-2021-29047HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.6
2021-05-16
vulnerable: 7.3.4, 7.3.5
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA …
CVE-2021-29048MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.6
2021-05-17
vulnerable: 7.3.4, 7.3.5
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script…
CVE-2021-29051MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.3.6
2021-05-17
vulnerable: 7.2.1 ... 7.3.5 (12 versions)
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to i…
CVE-2021-29052MEDIUMCVSS 4.3EG 4.3
2021-05-17
vulnerable: 7.3.0 ... 7.3.5 (10 versions)
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authent…
CVE-2021-29053HIGHCVSS 8.8EG 8.8✓ Fixed in 7.3.6
2021-05-17
vulnerable: 7.3.5
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC…
CVE-2021-33321HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.3
2021-08-03
vulnerable: 7.0.6 ... 7.3.2-1 (17 versions)
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.passwo…
CVE-2021-33324MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.3.2
2021-08-03
vulnerable: 7.1.0 ... 7.3.1-1 (12 versions)
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a p…
CVE-2021-33325MEDIUMCVSS 4.9EG 4.9
2021-08-03
vulnerable: 7.3.0, 7.3.0-1, 7.3.1, 7.3.1-1, 7.3.2
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for us…
CVE-2021-33328MEDIUMCVSS 5.4EG 5.4
2021-08-03
vulnerable: 7.0.6 ... 7.3.4 (20 versions)
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers t…
CVE-2021-33330MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.3.3
2021-08-03
vulnerable: 7.2.0 ... 7.3.2-1 (9 versions)
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows re…
CVE-2021-33331MEDIUMCVSS 6.1EG 6.1
2021-08-03
vulnerable: 7.0.6 ... 7.3.1 (14 versions)
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary…
CVE-2021-33332MEDIUMCVSS 6.1EG 6.1
2021-08-03
vulnerable: 7.1.0 ... 7.3.2 (13 versions)
Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script o…
CVE-2021-33333MEDIUMCVSS 6.3EG 6.3
2021-08-03
vulnerable: 7.0.6 ... 7.3.2 (16 versions)
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to v…
CVE-2021-33334MEDIUMCVSS 4.3EG 4.3
2021-08-03
vulnerable: 7.0.6 ... 7.3.2 (16 versions)
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with …
CVE-2021-33335HIGHCVSS 7.2EG 7.2✓ Fixed in 7.3.5
2021-08-03
vulnerable: 7.0.6 ... 7.3.4 (20 versions)
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company admin…
CVE-2021-33336MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.4
2021-08-04
vulnerable: 7.3.0 ... 7.3.3-1 (8 versions)
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script …
CVE-2021-33338HIGHCVSS 7.5EG 7.5✓ Fixed in 7.3.3
2021-08-04
vulnerable: 7.1.0 ... 7.3.2-1 (14 versions)
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site…
CVE-2021-33339MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.3.5
2021-08-04
vulnerable: 7.2.1 ... 7.3.4 (11 versions)
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web…
CVE-2021-35463MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.1
2021-08-04
vulnerable: 7.4.0
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter.
CVE-2021-38267MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.7-ga8
2022-03-03
vulnerable: 7.3.2 ... 7.3.7 (8 versions)
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_li…
CVE-2022-26595MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.2-ga3
2022-04-19
vulnerable: 7.4.0, 7.4.1, 7.4.1-1, 7.4.2, 7.4.2-1
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the…
CVE-2022-28977MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.4-ga4
2022-09-22
vulnerable: 7.3.2 ... 7.4.3.4 (14 versions)
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward …
CVE-2022-39975MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.3.35
2022-09-22
vulnerable: 7.3.3 ... 7.4.3.9 (44 versions)
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to vie…
CVE-2022-41414MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.2-ga3
2022-10-07
vulnerable: 7.0.6 ... 7.4.2-1 (28 versions)
An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.
CVE-2022-42122CRITICALCVSS 9.8EG 9.8✓ Fixed in 7.4.0-ga1
2022-11-15
vulnerable: 7.3.7, 7.4.0
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a…
CVE-2022-42123HIGHCVSS 7.5EG 7.5✓ Fixed in 7.4.3.19
2022-11-15
vulnerable: 7.3.3 ... 7.4.3.9 (26 versions)
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via th…
CVE-2022-42124HIGHCVSS 7.5EG 7.5✓ Fixed in 7.4.3.5
2022-11-15
vulnerable: 7.3.2 ... 7.4.3.4 (14 versions)
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive am…

Check whether com.liferay.portal:release.portal.bom is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.liferay.portal:release.portal.bom CVEs against the assets you own.

Start Free Scan →