Shodan
Vulnerabilities
Vulnerable Software
Liferay:  >> Digital Experience Platform  >> 7.4  Security Vulnerabilities
CVE-2022-42123
A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-11-15
CVE-2022-42124
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-11-15
CVE-2022-42125
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-11-15
CVE-2022-42126
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-11-15
CVE-2022-42127
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-11-15
CVE-2022-42128
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-11-15
CVE-2022-25146
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-03-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved