** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/...

4.3

MEDIUM

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

4.3

MEDIUM

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.

Liferay Liferay Portal

4.3

MEDIUM

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

Liferay Liferay Portal

7.5

HIGH

Directory traversal vulnerability in Liferay 5.1.0 allows remote attackers to have unspecified impact via a %2E%2E (encoded dot dot) in the minifierBundleDir parameter to barebone.jsp.

Liferay Liferay