When creating a new Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When creating a new event, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. Liferay 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 do not properly sanitize user-supplied input, resulting in XSS. Credit: This issue was discovered by Lorenzo Mazza of the Cisco Talos security research team.

Liferay and Apache Struts 2

CVE-2018-11776: Liferay and Apache Struts2 Hacking Campaign
Liferay is an open source e-commerce solution that is used by many organizations of all sizes. It provides a highly customizable platform for managing every aspect of the business. Additionally, it features robust security features to protect against malicious threats that target the system.

CVE-2023-42058

Persistent Cross-Site Scripting
When creating a new Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When creating a new event, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. Liferay 7.1 through 7.4 and Liferay DXP 7.1 before fix pack 27 do not properly sanitize user-supplied input when adding or updating comments on posts and pages with certain tags (defined by functionalities), which causes users to be logged out while they are still logged into Liferay and results in persistent cross-site scripting (XSS). Credit: This issue was discovered by Lorenzo Mazza of the Cisco Talos security research team.

CVE-2023-4120

When creating a new Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing Announcement, the application does not properly sanitize user-supplied input, resulting in XSS. When creating a new event, the application does not properly sanitize user-supplied input, resulting in XSS. When editing an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. When viewing the source of an existing event, the application does not properly sanitize user-supplied input, resulting in XSS. Liferay 7 through 7.2 and 7.3 before service pack 3 do not properly sanitize user-supplied input when processing a request for a generic resource that is retrieved from LDAP or DB2 using either LDAPv3 or JDBC respectively , resulting in XXE vulnerability. This issue was discovered by Lorenzo Mazza of Cisco Talos security research team Credit: This issue was discovered by Lorenzo Mazza of Cisco Talos security research team

Lorenzo Mazza of Cisco Talos

Timeline

Published on: 11/15/2022 00:15:00 UTC
Last modified on: 11/17/2022 14:37:00 UTC

References