Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

digital_experience_platform

Source -

NVDADP

CNA CVEs -

0

ADP CVEs -

6

CISA CVEs -

0

NVD CVEs -

262
Related CVEsRelated VendorsRelated AssignersReports
262Vulnerabilities found
CVE-2021-33323
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.42% / 61.21%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 18:19
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2021-33320
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.62%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 18:09
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-29049
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 50.70%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 18:46
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29048
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.22%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 11:08
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29051
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.31%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 11:01
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29044
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.22%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 10:55
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29043
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.20% / 42.32%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 10:48
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-29040
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 60.27%
||
7 Day CHG~0.00%
Published-16 May, 2021 | 15:03
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2020-15840
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 41.17%
||
7 Day CHG~0.00%
Published-24 Sep, 2020 | 14:56
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CVE-2020-15839
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.08% / 77.40%
||
7 Day CHG~0.00%
Published-22 Sep, 2020 | 17:27
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-15842
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.57% / 68.05%
||
7 Day CHG~0.00%
Published-20 Jul, 2020 | 01:06
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-15841
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-0.34% / 56.03%
||
7 Day CHG~0.00%
Published-20 Jul, 2020 | 01:06
Updated-15 Aug, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next