Results for

liferay

6.5
MEDIUM
CVE-2018-10795

** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/...

4.3
MEDIUM
CVE-2017-1000425

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

4.3
MEDIUM
CVE-2017-17868

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.

4.3
MEDIUM
CVE-2017-12645

XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.

4.3
MEDIUM
CVE-2017-12649

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.

4.3
MEDIUM
CVE-2017-12647

XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.

4.3
MEDIUM
CVE-2017-12646

XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.

4.3
MEDIUM
CVE-2017-12648

XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.

4.3
MEDIUM
CVE-2016-10404

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

7.5
HIGH
CVE-2016-6517

Directory traversal vulnerability in Liferay 5.1.0 allows remote attackers to have unspecified impact via a %2E%2E (encoded dot dot) in the minifierBundleDir parameter to barebone.jsp.