Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-29038 (GCVE-0-2021-29038)
Vulnerability from cvelistv5 – Published: 2024-02-20 00:00 – Updated: 2024-11-15 18:05
VLAI
EPSS
Summary
Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
Severity
6.3 (Medium)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-29038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:45:01.157723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:05:06.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T21:30:45.646Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29038",
"datePublished": "2024-02-20T00:00:00.000Z",
"dateReserved": "2021-03-22T00:00:00.000Z",
"dateUpdated": "2024-11-15T18:05:06.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-29038",
"date": "2026-05-27",
"epss": "0.00094",
"percentile": "0.26109"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.\"}, {\"lang\": \"es\", \"value\": \"Liferay Portal 7.2.0 a 7.3.5 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al fix pack 1, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no ofuscan las respuestas de recordatorio de contrase\\u00f1a en la p\\u00e1gina, lo que permite a los atacantes utilizar ataques de man-in-the-middle para robar las respuestas de recordatorio de contrase\\u00f1a del usuario.\"}]",
"id": "CVE-2021-29038",
"lastModified": "2024-11-21T06:00:34.147",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.4}]}",
"published": "2024-02-20T22:15:08.010",
"references": "[{\"url\": \"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-640\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-29038\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-02-20T22:15:08.010\",\"lastModified\":\"2025-05-13T17:19:50.530\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.\"},{\"lang\":\"es\",\"value\":\"Liferay Portal 7.2.0 a 7.3.5 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al fix pack 1, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no ofuscan las respuestas de recordatorio de contrase\u00f1a en la p\u00e1gina, lo que permite a los atacantes utilizar ataques de man-in-the-middle para robar las respuestas de recordatorio de contrase\u00f1a del usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.2\",\"matchCriteriaId\":\"AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DCF7F39-A198-4F7E-84B7-90C88C1BAA96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7E68DF8-749B-4284-A7C9-929701A86B36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*\",\"matchCriteriaId\":\"340DF1FE-5720-4516-BA51-F2197A654409\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*\",\"matchCriteriaId\":\"97E155DE-05C6-4559-94A8-0EFEB958D0C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*\",\"matchCriteriaId\":\"0635FB5F-9C90-49C7-A9EF-00C0396FCCAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*\",\"matchCriteriaId\":\"77523B76-FC26-41B1-A804-7372E13F4FB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*\",\"matchCriteriaId\":\"B15397B8-5087-4239-AE78-D3C37D59DE83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*\",\"matchCriteriaId\":\"311EE92A-0EEF-4556-A52F-E6C9522FA2DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*\",\"matchCriteriaId\":\"49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7CECAA19-8B7F-44C8-8059-6D4F2105E196\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*\",\"matchCriteriaId\":\"68CBCEEB-7C28-4769-813F-3F01E33D2E08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0CB4927-A361-4DFA-BDB8-A454EA2894AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2B771B7-D5CB-4778-A3A8-1005E4EE134C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B9DB383-3791-4A43-BA4D-7695B203E736\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*\",\"matchCriteriaId\":\"13F02D77-20E9-4F32-9752-511EB71E6704\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*\",\"matchCriteriaId\":\"759DDB90-6A89-4E4F-BD04-F70EFA5343B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F6A98ED-E694-4F39-95D0-C152BD1EC115\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.2.1\",\"matchCriteriaId\":\"345F6776-E492-489C-AC23-760BBC693A4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.3.0\",\"versionEndExcluding\":\"7.3.6\",\"matchCriteriaId\":\"735F304B-33E4-4DEB-A68F-8EF78B5597B8\"}]}]}],\"references\":[{\"url\":\"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T21:55:12.408Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-29038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-22T16:45:01.157723Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-640\", \"description\": \"CWE-640 Weak Password Recovery Mechanism for Forgotten Password\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:40.639Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-02-20T21:30:45.646Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-29038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-15T18:05:06.484Z\", \"dateReserved\": \"2021-03-22T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-02-20T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2025-AVI-0954
Vulnerability from certfr_avis - Published: 2025-11-03 - Updated: 2025-11-14
De multiples vulnérabilités ont été découvertes dans Liferay. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Liferay DXP versions 2023.Q3.x et 2023.Q4.x ant\u00e9rieures \u00e0 2024.Q1.1",
"product": {
"name": "DXP",
"vendor": {
"name": "Liferay",
"scada": false
}
}
},
{
"description": "Liferay Portal versions 7.4.x ant\u00e9rieures \u00e0 7.4.3.112",
"product": {
"name": "Portal",
"vendor": {
"name": "Liferay",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43818"
},
{
"name": "CVE-2025-43762",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43762"
},
{
"name": "CVE-2025-43749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43749"
},
{
"name": "CVE-2024-26266",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26266"
},
{
"name": "CVE-2024-25151",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25151"
},
{
"name": "CVE-2023-40191",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40191"
},
{
"name": "CVE-2025-43748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43748"
},
{
"name": "CVE-2025-43829",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43829"
},
{
"name": "CVE-2025-43813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43813"
},
{
"name": "CVE-2024-25609",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25609"
},
{
"name": "CVE-2024-26267",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26267"
},
{
"name": "CVE-2023-42498",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42498"
},
{
"name": "CVE-2025-62242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62242"
},
{
"name": "CVE-2025-43769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43769"
},
{
"name": "CVE-2025-43751",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43751"
},
{
"name": "CVE-2025-62252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62252"
},
{
"name": "CVE-2025-62250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62250"
},
{
"name": "CVE-2023-44308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44308"
},
{
"name": "CVE-2025-62247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62247"
},
{
"name": "CVE-2023-5190",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5190"
},
{
"name": "CVE-2025-43820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43820"
},
{
"name": "CVE-2025-62259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62259"
},
{
"name": "CVE-2024-25607",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25607"
},
{
"name": "CVE-2025-43807",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43807"
},
{
"name": "CVE-2024-26269",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26269"
},
{
"name": "CVE-2025-43758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43758"
},
{
"name": "CVE-2021-29038",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29038"
},
{
"name": "CVE-2024-26268",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26268"
},
{
"name": "CVE-2023-37940",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37940"
},
{
"name": "CVE-2025-62245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62245"
},
{
"name": "CVE-2025-43765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43765"
},
{
"name": "CVE-2025-3586",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3586"
},
{
"name": "CVE-2025-62267",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62267"
},
{
"name": "CVE-2025-43811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43811"
},
{
"name": "CVE-2023-42496",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42496"
},
{
"name": "CVE-2025-43808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43808"
},
{
"name": "CVE-2025-62239",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62239"
},
{
"name": "CVE-2025-43830",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43830"
},
{
"name": "CVE-2024-25150",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25150"
},
{
"name": "CVE-2023-47798",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47798"
},
{
"name": "CVE-2025-43779",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43779"
},
{
"name": "CVE-2025-62246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62246"
},
{
"name": "CVE-2025-43772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43772"
},
{
"name": "CVE-2025-43826",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43826"
},
{
"name": "CVE-2025-62237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62237"
},
{
"name": "CVE-2025-43817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43817"
},
{
"name": "CVE-2025-62275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62275"
},
{
"name": "CVE-2023-3426",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3426"
},
{
"name": "CVE-2025-62251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62251"
},
{
"name": "CVE-2024-25605",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25605"
},
{
"name": "CVE-2024-25603",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25603"
},
{
"name": "CVE-2023-47795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47795"
},
{
"name": "CVE-2025-43799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43799"
},
{
"name": "CVE-2025-43802",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43802"
},
{
"name": "CVE-2025-43782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43782"
},
{
"name": "CVE-2025-62264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62264"
},
{
"name": "CVE-2024-25149",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25149"
},
{
"name": "CVE-2025-62265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62265"
},
{
"name": "CVE-2025-43764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43764"
},
{
"name": "CVE-2025-43771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43771"
},
{
"name": "CVE-2024-25606",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25606"
},
{
"name": "CVE-2024-25608",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25608"
},
{
"name": "CVE-2025-43761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43761"
},
{
"name": "CVE-2025-43803",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43803"
},
{
"name": "CVE-2025-43823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43823"
},
{
"name": "CVE-2022-45320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45320"
},
{
"name": "CVE-2021-29050",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29050"
},
{
"name": "CVE-2024-25602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25602"
},
{
"name": "CVE-2024-25152",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25152"
},
{
"name": "CVE-2025-43815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43815"
},
{
"name": "CVE-2025-43770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43770"
},
{
"name": "CVE-2025-62238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62238"
},
{
"name": "CVE-2025-43754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43754"
},
{
"name": "CVE-2025-43786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43786"
},
{
"name": "CVE-2024-11993",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11993"
},
{
"name": "CVE-2025-62241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62241"
},
{
"name": "CVE-2025-62253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62253"
},
{
"name": "CVE-2025-43812",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43812"
},
{
"name": "CVE-2025-43750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43750"
},
{
"name": "CVE-2024-25601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25601"
},
{
"name": "CVE-2024-25610",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25610"
},
{
"name": "CVE-2025-43821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43821"
},
{
"name": "CVE-2024-25604",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25604"
},
{
"name": "CVE-2025-62248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62248"
},
{
"name": "CVE-2025-43822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43822"
},
{
"name": "CVE-2025-62276",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62276"
},
{
"name": "CVE-2025-43788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43788"
},
{
"name": "CVE-2025-43766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43766"
},
{
"name": "CVE-2025-43781",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43781"
},
{
"name": "CVE-2025-43824",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43824"
},
{
"name": "CVE-2025-62249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62249"
},
{
"name": "CVE-2025-43789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43789"
},
{
"name": "CVE-2025-62243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62243"
},
{
"name": "CVE-2023-47797",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47797"
},
{
"name": "CVE-2025-43759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43759"
},
{
"name": "CVE-2025-43827",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43827"
},
{
"name": "CVE-2024-25147",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25147"
},
{
"name": "CVE-2025-43767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43767"
},
{
"name": "CVE-2025-43790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43790"
},
{
"name": "CVE-2025-62240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62240"
},
{
"name": "CVE-2024-26270",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26270"
},
{
"name": "CVE-2025-43810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43810"
},
{
"name": "CVE-2025-43795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43795"
},
{
"name": "CVE-2024-26265",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26265"
},
{
"name": "CVE-2025-43768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43768"
},
{
"name": "CVE-2025-43775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43775"
},
{
"name": "CVE-2025-62244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62244"
}
],
"initial_release_date": "2025-11-03T00:00:00",
"last_revision_date": "2025-11-14T00:00:00",
"links": [
{
"title": "Bulletins de s\u00e9curit\u00e9 de Liferay",
"url": "https://liferay.dev/portal/security/known-vulnerabilities"
}
],
"reference": "CERTFR-2025-AVI-0954",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-03T00:00:00.000000"
},
{
"description": "R\u00e9gularisation des identifiants CVE pr\u00e9sents sur le site de l\u0027\u00e9diteur.",
"revision_date": "2025-11-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Liferay. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de code indirecte \u00e0 distance (XSS) et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Liferay",
"vendor_advisories": [
{
"published_at": "2025-11-01",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62275-1",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62275-1"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62276",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62276"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62264",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62264"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62267",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62267"
}
]
}
CERTFR-2025-AVI-0954
Vulnerability from certfr_avis - Published: 2025-11-03 - Updated: 2025-11-14
De multiples vulnérabilités ont été découvertes dans Liferay. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Liferay DXP versions 2023.Q3.x et 2023.Q4.x ant\u00e9rieures \u00e0 2024.Q1.1",
"product": {
"name": "DXP",
"vendor": {
"name": "Liferay",
"scada": false
}
}
},
{
"description": "Liferay Portal versions 7.4.x ant\u00e9rieures \u00e0 7.4.3.112",
"product": {
"name": "Portal",
"vendor": {
"name": "Liferay",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43818"
},
{
"name": "CVE-2025-43762",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43762"
},
{
"name": "CVE-2025-43749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43749"
},
{
"name": "CVE-2024-26266",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26266"
},
{
"name": "CVE-2024-25151",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25151"
},
{
"name": "CVE-2023-40191",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40191"
},
{
"name": "CVE-2025-43748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43748"
},
{
"name": "CVE-2025-43829",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43829"
},
{
"name": "CVE-2025-43813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43813"
},
{
"name": "CVE-2024-25609",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25609"
},
{
"name": "CVE-2024-26267",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26267"
},
{
"name": "CVE-2023-42498",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42498"
},
{
"name": "CVE-2025-62242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62242"
},
{
"name": "CVE-2025-43769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43769"
},
{
"name": "CVE-2025-43751",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43751"
},
{
"name": "CVE-2025-62252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62252"
},
{
"name": "CVE-2025-62250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62250"
},
{
"name": "CVE-2023-44308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44308"
},
{
"name": "CVE-2025-62247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62247"
},
{
"name": "CVE-2023-5190",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5190"
},
{
"name": "CVE-2025-43820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43820"
},
{
"name": "CVE-2025-62259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62259"
},
{
"name": "CVE-2024-25607",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25607"
},
{
"name": "CVE-2025-43807",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43807"
},
{
"name": "CVE-2024-26269",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26269"
},
{
"name": "CVE-2025-43758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43758"
},
{
"name": "CVE-2021-29038",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29038"
},
{
"name": "CVE-2024-26268",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26268"
},
{
"name": "CVE-2023-37940",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37940"
},
{
"name": "CVE-2025-62245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62245"
},
{
"name": "CVE-2025-43765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43765"
},
{
"name": "CVE-2025-3586",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3586"
},
{
"name": "CVE-2025-62267",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62267"
},
{
"name": "CVE-2025-43811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43811"
},
{
"name": "CVE-2023-42496",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42496"
},
{
"name": "CVE-2025-43808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43808"
},
{
"name": "CVE-2025-62239",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62239"
},
{
"name": "CVE-2025-43830",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43830"
},
{
"name": "CVE-2024-25150",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25150"
},
{
"name": "CVE-2023-47798",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47798"
},
{
"name": "CVE-2025-43779",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43779"
},
{
"name": "CVE-2025-62246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62246"
},
{
"name": "CVE-2025-43772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43772"
},
{
"name": "CVE-2025-43826",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43826"
},
{
"name": "CVE-2025-62237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62237"
},
{
"name": "CVE-2025-43817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43817"
},
{
"name": "CVE-2025-62275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62275"
},
{
"name": "CVE-2023-3426",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3426"
},
{
"name": "CVE-2025-62251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62251"
},
{
"name": "CVE-2024-25605",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25605"
},
{
"name": "CVE-2024-25603",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25603"
},
{
"name": "CVE-2023-47795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47795"
},
{
"name": "CVE-2025-43799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43799"
},
{
"name": "CVE-2025-43802",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43802"
},
{
"name": "CVE-2025-43782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43782"
},
{
"name": "CVE-2025-62264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62264"
},
{
"name": "CVE-2024-25149",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25149"
},
{
"name": "CVE-2025-62265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62265"
},
{
"name": "CVE-2025-43764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43764"
},
{
"name": "CVE-2025-43771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43771"
},
{
"name": "CVE-2024-25606",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25606"
},
{
"name": "CVE-2024-25608",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25608"
},
{
"name": "CVE-2025-43761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43761"
},
{
"name": "CVE-2025-43803",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43803"
},
{
"name": "CVE-2025-43823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43823"
},
{
"name": "CVE-2022-45320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45320"
},
{
"name": "CVE-2021-29050",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29050"
},
{
"name": "CVE-2024-25602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25602"
},
{
"name": "CVE-2024-25152",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25152"
},
{
"name": "CVE-2025-43815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43815"
},
{
"name": "CVE-2025-43770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43770"
},
{
"name": "CVE-2025-62238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62238"
},
{
"name": "CVE-2025-43754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43754"
},
{
"name": "CVE-2025-43786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43786"
},
{
"name": "CVE-2024-11993",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11993"
},
{
"name": "CVE-2025-62241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62241"
},
{
"name": "CVE-2025-62253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62253"
},
{
"name": "CVE-2025-43812",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43812"
},
{
"name": "CVE-2025-43750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43750"
},
{
"name": "CVE-2024-25601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25601"
},
{
"name": "CVE-2024-25610",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25610"
},
{
"name": "CVE-2025-43821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43821"
},
{
"name": "CVE-2024-25604",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25604"
},
{
"name": "CVE-2025-62248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62248"
},
{
"name": "CVE-2025-43822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43822"
},
{
"name": "CVE-2025-62276",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62276"
},
{
"name": "CVE-2025-43788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43788"
},
{
"name": "CVE-2025-43766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43766"
},
{
"name": "CVE-2025-43781",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43781"
},
{
"name": "CVE-2025-43824",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43824"
},
{
"name": "CVE-2025-62249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62249"
},
{
"name": "CVE-2025-43789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43789"
},
{
"name": "CVE-2025-62243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62243"
},
{
"name": "CVE-2023-47797",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47797"
},
{
"name": "CVE-2025-43759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43759"
},
{
"name": "CVE-2025-43827",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43827"
},
{
"name": "CVE-2024-25147",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25147"
},
{
"name": "CVE-2025-43767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43767"
},
{
"name": "CVE-2025-43790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43790"
},
{
"name": "CVE-2025-62240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62240"
},
{
"name": "CVE-2024-26270",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26270"
},
{
"name": "CVE-2025-43810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43810"
},
{
"name": "CVE-2025-43795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43795"
},
{
"name": "CVE-2024-26265",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26265"
},
{
"name": "CVE-2025-43768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43768"
},
{
"name": "CVE-2025-43775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43775"
},
{
"name": "CVE-2025-62244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62244"
}
],
"initial_release_date": "2025-11-03T00:00:00",
"last_revision_date": "2025-11-14T00:00:00",
"links": [
{
"title": "Bulletins de s\u00e9curit\u00e9 de Liferay",
"url": "https://liferay.dev/portal/security/known-vulnerabilities"
}
],
"reference": "CERTFR-2025-AVI-0954",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-03T00:00:00.000000"
},
{
"description": "R\u00e9gularisation des identifiants CVE pr\u00e9sents sur le site de l\u0027\u00e9diteur.",
"revision_date": "2025-11-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Liferay. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de code indirecte \u00e0 distance (XSS) et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Liferay",
"vendor_advisories": [
{
"published_at": "2025-11-01",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62275-1",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62275-1"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62276",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62276"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62264",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62264"
},
{
"published_at": "2025-10-31",
"title": "Bulletin de s\u00e9curit\u00e9 Liferay cve-2025-62267",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-62267"
}
]
}
FKIE_CVE-2021-29038
Vulnerability from fkie_nvd - Published: 2024-02-20 22:15 - Updated: 2025-05-13 17:19
Severity
Summary
Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF8EBC77-BA94-4AA8-BAF0-D1E3C9146459",
"versionEndExcluding": "7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "E7E68DF8-749B-4284-A7C9-929701A86B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*",
"matchCriteriaId": "340DF1FE-5720-4516-BA51-F2197A654409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*",
"matchCriteriaId": "97E155DE-05C6-4559-94A8-0EFEB958D0C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*",
"matchCriteriaId": "0635FB5F-9C90-49C7-A9EF-00C0396FCCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*",
"matchCriteriaId": "77523B76-FC26-41B1-A804-7372E13F4FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*",
"matchCriteriaId": "B15397B8-5087-4239-AE78-D3C37D59DE83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*",
"matchCriteriaId": "311EE92A-0EEF-4556-A52F-E6C9522FA2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*",
"matchCriteriaId": "49501C9E-D12A-45E0-92F3-8FD5FDC6D3CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "7CECAA19-8B7F-44C8-8059-6D4F2105E196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "68CBCEEB-7C28-4769-813F-3F01E33D2E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"matchCriteriaId": "C0CB4927-A361-4DFA-BDB8-A454EA2894AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"matchCriteriaId": "B2B771B7-D5CB-4778-A3A8-1005E4EE134C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"matchCriteriaId": "3B9DB383-3791-4A43-BA4D-7695B203E736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"matchCriteriaId": "13F02D77-20E9-4F32-9752-511EB71E6704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*",
"matchCriteriaId": "6353CC8F-A6D4-4A0C-8D68-290CD8DEB4F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*",
"matchCriteriaId": "759DDB90-6A89-4E4F-BD04-F70EFA5343B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "345F6776-E492-489C-AC23-760BBC693A4F",
"versionEndIncluding": "7.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "735F304B-33E4-4DEB-A68F-8EF78B5597B8",
"versionEndExcluding": "7.3.6",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers."
},
{
"lang": "es",
"value": "Liferay Portal 7.2.0 a 7.3.5 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al fix pack 1, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no ofuscan las respuestas de recordatorio de contrase\u00f1a en la p\u00e1gina, lo que permite a los atacantes utilizar ataques de man-in-the-middle para robar las respuestas de recordatorio de contrase\u00f1a del usuario."
}
],
"id": "CVE-2021-29038",
"lastModified": "2025-05-13T17:19:50.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T22:15:08.010",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-MWHF-6MJM-6W3H
Vulnerability from github – Published: 2024-02-21 00:31 – Updated: 2025-07-29 13:05
VLAI
Summary
Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers
Details
In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
Severity
6.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:portal-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.18.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.users.admin.web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.login.web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.commerce:com.liferay.commerce.account.web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.2.10.fp17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0"
},
{
"fixed": "7.3.10.fp1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29038"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-29T13:05:27Z",
"nvd_published_at": "2024-02-20T22:15:08Z",
"severity": "MODERATE"
},
"details": "In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.",
"id": "GHSA-mwhf-6mjm-6w3h",
"modified": "2025-07-29T13:05:27Z",
"published": "2024-02-21T00:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29038"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/5e2da784aeefce64107abd0411590db2b55faf0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers"
}
GSD-2021-29038
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-29038",
"id": "GSD-2021-29038"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-29038"
],
"details": "Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.",
"id": "GSD-2021-29038",
"modified": "2023-12-13T01:23:36.859317Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29038",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038",
"refsource": "MISC",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers."
},
{
"lang": "es",
"value": "Liferay Portal 7.2.0 a 7.3.5 y versiones anteriores no compatibles, y Liferay DXP 7.3 anterior al fix pack 1, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no ofuscan las respuestas de recordatorio de contrase\u00f1a en la p\u00e1gina, lo que permite a los atacantes utilizar ataques de man-in-the-middle para robar las respuestas de recordatorio de contrase\u00f1a del usuario."
}
],
"id": "CVE-2021-29038",
"lastModified": "2024-02-22T19:07:37.840",
"metrics": {},
"published": "2024-02-20T22:15:08.010",
"references": [
{
"source": "cve@mitre.org",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Awaiting Analysis"
}
}
}
}
WID-SEC-W-2024-0323
Vulnerability from csaf_certbund - Published: 2024-02-07 23:00 - Updated: 2024-02-07 23:00Summary
Liferay Liferay Portal und DXP: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Liferay Portal ist eine Open-Source-Webplattform für Unternehmen, die ein Framework für die Erstellung und Verwaltung von webbasierten Anwendungen und Inhalten bietet.
Liferay DXP (Digital Experience Platform) ist eine erweiterte und kommerziell unterstützte Version von Liferay Portal, die zusätzliche Funktionen und Dienste bietet.
Angriff: Ein entfernter Angreifer kann mehrere Schwachstellen in Liferay Liferay Portal und Liferay Liferay DXP ausnutzen, um Informationen offenzulegen, Cross-Site-Scripting (XSS)-Angriffe durchzuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen oder Dateien zu manipulieren.
Betroffene Betriebssysteme: - UNIX
- Linux
- MacOS X
- Windows
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht, weil die Antworten auf die Kennworterinnerung nicht verschleiert sind, wodurch ein Man-in-the-Middle- oder Shoulder-Surfing-Angriff durchgeführt werden kann, um die Antworten auf die Kennworterinnerung des Benutzers zu stehlen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion.
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay DXP < 7.2 fix pack 13
Liferay / Liferay DXP
|
< 7.2 fix pack 13 | ||
|
Liferay Liferay DXP < 7.3 fix pack 2
Liferay / Liferay DXP
|
< 7.3 fix pack 2 | ||
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 |
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht auf der Seite mit den Nutzungsbedingungen aufgrund eines Cross-Site Request Forgery-Problems, das es ermöglicht, einen Benutzer zum Besuch einer bösartigen Seite zu verleiten. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um falsche Informationen zu präsentieren und möglicherweise einen Phishing-Angriff durchzuführen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 |
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht aufgrund einer unsachgemäßen Validierung von Benutzersitzungen, die es erlaubt, authentifiziert zu bleiben, nachdem ein Konto gesperrt wurde. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsmaßnahmen zu umgehen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion.
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im Dokument- und Medien-Widget aufgrund eines unbeschränkten Speicherverbrauchs während der Erzeugung eines Vorschaubildes. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay Portal < 7.3.6
Liferay / Liferay Portal
|
< 7.3.6 | ||
|
Liferay Liferay DXP < 7.3 service pack 1
Liferay / Liferay DXP
|
< 7.3 service pack 1 | ||
|
Liferay Liferay DXP < 7.2 fix pack 17
Liferay / Liferay DXP
|
< 7.2 fix pack 17 | ||
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 |
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im IFrame-Widget aufgrund einer unsachgemäßen URL-Validierung. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion.
Affected products
Known affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay DXP < 7.2 fix pack 15
Liferay / Liferay DXP
|
< 7.2 fix pack 15 | ||
|
Liferay Liferay Portal < 7.3.6
Liferay / Liferay Portal
|
< 7.3.6 | ||
|
Liferay Liferay DXP < 7.2 fix pack 13
Liferay / Liferay DXP
|
< 7.2 fix pack 13 | ||
|
Liferay Liferay DXP < 7.3 service pack 3
Liferay / Liferay DXP
|
< 7.3 service pack 3 | ||
|
Liferay Liferay DXP < 7.3 fix pack 2
Liferay / Liferay DXP
|
< 7.3 fix pack 2 | ||
|
Liferay Liferay DXP < 7.2 fix pack 18
Liferay / Liferay DXP
|
< 7.2 fix pack 18 | ||
|
Liferay Liferay DXP < 7.3 service pack 1
Liferay / Liferay DXP
|
< 7.3 service pack 1 | ||
|
Liferay Liferay DXP < 7.2 fix pack 17
Liferay / Liferay DXP
|
< 7.2 fix pack 17 | ||
|
Liferay Liferay Portal < 7.4.3.12
Liferay / Liferay Portal
|
< 7.4.3.12 | ||
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay Portal < 7.3.7
Liferay / Liferay Portal
|
< 7.3.7 | ||
|
Liferay Liferay Portal < 7.4.2
Liferay / Liferay Portal
|
< 7.4.2 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay DXP < 7.4 update 8
Liferay / Liferay DXP
|
< 7.4 update 8 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 | ||
|
Liferay Liferay DXP < 7.3 update 4
Liferay / Liferay DXP
|
< 7.3 update 4 |
In Liferay Liferay Portal und Liferay Liferay DXP existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in der "Search Result"-App des "Portal Search"-Moduls nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay DXP < 7.2 fix pack 15
Liferay / Liferay DXP
|
< 7.2 fix pack 15 | ||
|
Liferay Liferay Portal < 7.3.6
Liferay / Liferay Portal
|
< 7.3.6 | ||
|
Liferay Liferay DXP < 7.2 fix pack 13
Liferay / Liferay DXP
|
< 7.2 fix pack 13 | ||
|
Liferay Liferay DXP < 7.3 service pack 3
Liferay / Liferay DXP
|
< 7.3 service pack 3 | ||
|
Liferay Liferay DXP < 7.3 fix pack 2
Liferay / Liferay DXP
|
< 7.3 fix pack 2 | ||
|
Liferay Liferay DXP < 7.3 service pack 1
Liferay / Liferay DXP
|
< 7.3 service pack 1 | ||
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay Portal < 7.3.7
Liferay / Liferay Portal
|
< 7.3.7 | ||
|
Liferay Liferay Portal < 7.4.2
Liferay / Liferay Portal
|
< 7.4.2 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 |
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht aufgrund einer unsachgemäßen Zugriffskontrolle, die es einem unbefugten Benutzer ermöglicht, herauszufinden, ob eine Site besteht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen.
Affected products
Known affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay DXP < 7.2 fix pack 15
Liferay / Liferay DXP
|
< 7.2 fix pack 15 | ||
|
Liferay Liferay Portal < 7.3.6
Liferay / Liferay Portal
|
< 7.3.6 | ||
|
Liferay Liferay DXP < 7.2 fix pack 13
Liferay / Liferay DXP
|
< 7.2 fix pack 13 | ||
|
Liferay Liferay DXP < 7.3 fix pack 2
Liferay / Liferay DXP
|
< 7.3 fix pack 2 | ||
|
Liferay Liferay DXP < 7.3 service pack 1
Liferay / Liferay DXP
|
< 7.3 service pack 1 | ||
|
Liferay Liferay DXP < 7.4 update 27
Liferay / Liferay DXP
|
< 7.4 update 27 | ||
|
Liferay Liferay DXP < 7.2 fix pack 17
Liferay / Liferay DXP
|
< 7.2 fix pack 17 | ||
|
Liferay Liferay Portal < 7.4.3.12
Liferay / Liferay Portal
|
< 7.4.3.12 | ||
|
Liferay Liferay Portal < 7.3.7
Liferay / Liferay Portal
|
< 7.3.7 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay DXP < 7.4 update 8
Liferay / Liferay DXP
|
< 7.4 update 8 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 | ||
|
Liferay Liferay DXP < 7.3 update 4
Liferay / Liferay DXP
|
< 7.3 update 4 |
Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im WYSIWYG-Editor bei der Erstellung von Inhalten, da der URL-Parameter `doAsUserId` ausgelesen werden kann. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren.
Affected products
Known affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Liferay Liferay Portal < 7.3.6
Liferay / Liferay Portal
|
< 7.3.6 | ||
|
Liferay Liferay DXP < 7.2 fix pack 13
Liferay / Liferay DXP
|
< 7.2 fix pack 13 | ||
|
Liferay Liferay DXP < 7.3 fix pack 2
Liferay / Liferay DXP
|
< 7.3 fix pack 2 | ||
|
Liferay Liferay DXP < 7.3 service pack 1
Liferay / Liferay DXP
|
< 7.3 service pack 1 | ||
|
Liferay Liferay DXP < 7.4 update 27
Liferay / Liferay DXP
|
< 7.4 update 27 | ||
|
Liferay Liferay DXP < 7.2 fix pack 5
Liferay / Liferay DXP
|
< 7.2 fix pack 5 | ||
|
Liferay Liferay Portal < 7.3.7
Liferay / Liferay Portal
|
< 7.3.7 | ||
|
Liferay Liferay DXP < 7.2 fix pack 11
Liferay / Liferay DXP
|
< 7.2 fix pack 11 | ||
|
Liferay Liferay Portal < 7.3.1
Liferay / Liferay Portal
|
< 7.3.1 |
References
10 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Liferay Portal ist eine Open-Source-Webplattform f\u00fcr Unternehmen, die ein Framework f\u00fcr die Erstellung und Verwaltung von webbasierten Anwendungen und Inhalten bietet.\r\nLiferay DXP (Digital Experience Platform) ist eine erweiterte und kommerziell unterst\u00fctzte Version von Liferay Portal, die zus\u00e4tzliche Funktionen und Dienste bietet.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Liferay Liferay Portal und Liferay Liferay DXP ausnutzen, um Informationen offenzulegen, Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen oder Dateien zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- MacOS X\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0323 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0323.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0323 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0323"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29050"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146"
},
{
"category": "external",
"summary": "Liferay Known Vulnerabilities vom 2024-02-07",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148"
}
],
"source_lang": "en-US",
"title": "Liferay Liferay Portal und DXP: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-07T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:04:58.696+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0323",
"initial_release_date": "2024-02-07T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-02-07T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 7.3 service pack 1",
"product": {
"name": "Liferay Liferay DXP \u003c 7.3 service pack 1",
"product_id": "T032579"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 17",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 17",
"product_id": "T032581"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 11",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 11",
"product_id": "T032582"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 5",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 5",
"product_id": "T032584"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 13",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 13",
"product_id": "T032586"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3 fix pack 2",
"product": {
"name": "Liferay Liferay DXP \u003c 7.3 fix pack 2",
"product_id": "T032587"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 19",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 19",
"product_id": "T032589"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3 update 6",
"product": {
"name": "Liferay Liferay DXP \u003c 7.3 update 6",
"product_id": "T032590"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.4 update 27",
"product": {
"name": "Liferay Liferay DXP \u003c 7.4 update 27",
"product_id": "T032591"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.4 update 8",
"product": {
"name": "Liferay Liferay DXP \u003c 7.4 update 8",
"product_id": "T032593"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3 update 4",
"product": {
"name": "Liferay Liferay DXP \u003c 7.3 update 4",
"product_id": "T032594"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3 service pack 3",
"product": {
"name": "Liferay Liferay DXP \u003c 7.3 service pack 3",
"product_id": "T032597"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 18",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 18",
"product_id": "T032598"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.2 fix pack 15",
"product": {
"name": "Liferay Liferay DXP \u003c 7.2 fix pack 15",
"product_id": "T032599"
}
}
],
"category": "product_name",
"name": "Liferay DXP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 7.3.6",
"product": {
"name": "Liferay Liferay Portal \u003c 7.3.6",
"product_id": "T032578"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3.1",
"product": {
"name": "Liferay Liferay Portal \u003c 7.3.1",
"product_id": "T032583"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.3.7",
"product": {
"name": "Liferay Liferay Portal \u003c 7.3.7",
"product_id": "T032585"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.4.3.27",
"product": {
"name": "Liferay Liferay Portal \u003c 7.4.3.27",
"product_id": "T032588"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.4.3.12",
"product": {
"name": "Liferay Liferay Portal \u003c 7.4.3.12",
"product_id": "T032592"
}
},
{
"category": "product_version_range",
"name": "\u003c 7.4.2",
"product": {
"name": "Liferay Liferay Portal \u003c 7.4.2",
"product_id": "T032596"
}
}
],
"category": "product_name",
"name": "Liferay Portal"
}
],
"category": "vendor",
"name": "Liferay"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-29038",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht, weil die Antworten auf die Kennworterinnerung nicht verschleiert sind, wodurch ein Man-in-the-Middle- oder Shoulder-Surfing-Angriff durchgef\u00fchrt werden kann, um die Antworten auf die Kennworterinnerung des Benutzers zu stehlen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T032586",
"T032587",
"T032584",
"T032582",
"T032583"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2021-29038"
},
{
"cve": "CVE-2021-29050",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht auf der Seite mit den Nutzungsbedingungen aufgrund eines Cross-Site Request Forgery-Problems, das es erm\u00f6glicht, einen Benutzer zum Besuch einer b\u00f6sartigen Seite zu verleiten. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um falsche Informationen zu pr\u00e4sentieren und m\u00f6glicherweise einen Phishing-Angriff durchzuf\u00fchren. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T032584",
"T032583"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2021-29050"
},
{
"cve": "CVE-2023-47798",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Validierung von Benutzersitzungen, die es erlaubt, authentifiziert zu bleiben, nachdem ein Konto gesperrt wurde. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2023-47798"
},
{
"cve": "CVE-2024-25143",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im Dokument- und Medien-Widget aufgrund eines unbeschr\u00e4nkten Speicherverbrauchs w\u00e4hrend der Erzeugung eines Vorschaubildes. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
}
],
"product_status": {
"known_affected": [
"T032578",
"T032579",
"T032581",
"T032584",
"T032582",
"T032583"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2024-25143"
},
{
"cve": "CVE-2024-25144",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im IFrame-Widget aufgrund einer unsachgem\u00e4\u00dfen URL-Validierung. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T032599",
"T032578",
"T032586",
"T032597",
"T032587",
"T032598",
"T032579",
"T032581",
"T032592",
"T032584",
"T032585",
"T032596",
"T032582",
"T032593",
"T032583",
"T032594"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2024-25144"
},
{
"cve": "CVE-2024-25145",
"notes": [
{
"category": "description",
"text": "In Liferay Liferay Portal und Liferay Liferay DXP existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in der \"Search Result\"-App des \"Portal Search\"-Moduls nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T032599",
"T032578",
"T032586",
"T032597",
"T032587",
"T032579",
"T032584",
"T032585",
"T032596",
"T032582",
"T032583"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2024-25145"
},
{
"cve": "CVE-2024-25146",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Zugriffskontrolle, die es einem unbefugten Benutzer erm\u00f6glicht, herauszufinden, ob eine Site besteht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T032599",
"T032578",
"T032586",
"T032587",
"T032579",
"T032591",
"T032581",
"T032592",
"T032585",
"T032582",
"T032593",
"T032583",
"T032594"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2024-25146"
},
{
"cve": "CVE-2024-25148",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Liferay Liferay Portal und Liferay Liferay DXP. Dieser Fehler besteht im WYSIWYG-Editor bei der Erstellung von Inhalten, da der URL-Parameter `doAsUserId` ausgelesen werden kann. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren."
}
],
"product_status": {
"known_affected": [
"T032578",
"T032586",
"T032587",
"T032579",
"T032591",
"T032584",
"T032585",
"T032582",
"T032583"
]
},
"release_date": "2024-02-07T23:00:00.000+00:00",
"title": "CVE-2024-25148"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…