Liferay Dxp vulnerabilities

CVE-2023-33947 [MEDIUM] CWE-284 CVE-2023-33947: The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 d The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

CVE-2023-33941 [MEDIUM] CWE-79 CVE-2023-33941: Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2Provi Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.

CVE-2023-33942 [MEDIUM] CWE-79 CVE-2023-33942: Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Lif Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.

CVE-2023-33939 [MEDIUM] CWE-79 CVE-2023-33939: Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 throug Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.

CVE-2023-33946 [MEDIUM] CWE-284 CVE-2023-33946: The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 d The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

CVE-2023-33937 [MEDIUM] CWE-79 CVE-2023-33937: Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.

CVE-2023-33944 [MEDIUM] CWE-79 CVE-2023-33944: Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

CVE-2023-33943 [MEDIUM] CWE-79 CVE-2023-33943: Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7. Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.

CVE-2023-33938 [MEDIUM] CWE-79 CVE-2023-33938: Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in L Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.

CVE-2022-42120 [CRITICAL] CWE-89 CVE-2022-42120: A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and L A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

CVE-2022-42122 [CRITICAL] CWE-89 CVE-2022-42122: A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7. A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.

CVE-2022-42121 [HIGH] CWE-89 CVE-2022-42121: A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Life A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.

CVE-2022-42110 [MEDIUM] CWE-79 CVE-2022-42110: A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 throu A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.

CVE-2022-42118 [MEDIUM] CWE-79 CVE-2022-42118: A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 throu A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

CVE-2022-42111 [MEDIUM] CWE-79 CVE-2022-42111: A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Port A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload.

CVE-2022-42119 [MEDIUM] CWE-79 CVE-2022-42119: Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.

CVE-2022-38901 [MEDIUM] CWE-79 CVE-2022-38901: A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functional A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.

CVE-2022-42116 [MEDIUM] CWE-79 CVE-2022-42116: A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.

CVE-2022-42117 [MEDIUM] CWE-79 CVE-2022-42117: A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 thr A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.

CVE-2022-42113 [MEDIUM] CWE-79 CVE-2022-42113: A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 thr A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.