CVE-2025-62275 Blogs images are visible to unauthenticated users
CVE-2025-62276 Private Cache-Control header for DM and AM file download
CVE-2025-62266 Insecure default for the property `redirect.url.security.mode`
CVE-2025-62257 Lockout mechanism doesn't prevent password enumeration brute force attacks
CVE-2025-62261 Cleartext storage of password reset tickets
CVE-2025-62262 Email address in LDAP import logs
CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base
CVE-2025-62254 Very large ComboServlet responses
CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents
CVE-2025-43814 Password reminder answers recorded in audit events
CVE-2025-43809 CSRF vulnerability with server (license) registration
CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted
CVE-2024-11993 Reflected XSS in Dispatch Name field
CVE-2025-43799 Change password requirement bypass
CVE-2025-62246 Stored XSS with mentions in comments
CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings
CVE-2023-37940 XSS with "Service Class" in Service Access Policy
CVE-2025-62253 Open redirect in page administration
CVE-2025-3526 DoS vulnerability with SessionClicks
CVE-2025-3594 DoS vulnerability with SessionClicks
CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions
CVE-2025-62259 Email address verification bypass
CVE-2023-42628 XSS with child wiki pages
CVE-2023-33937 Stored XSS with form name in form configuration
CVE-2023-33939 Stored XSS in Modified Facet
CVE-2023-33949 Users do not have to verify their email address by default
CVE-2022-42132 LDAP credentials exposed in URL
CVE-2022-42131 DDMRESTDataProvider vulnerable to man-in-the-middle attack
CVE-2022-42130 Unauthorized access to form entries via API
CVE-2022-42121 SQL injection vulnerability during page template upgrade
CVE-2022-42118 Reflected XSS with `tag` in Search
CVE-2022-42110 Stored XSS with announcement/alert type
CST-7230 Invalid portlet mode cause product menu to be inaccessible
CST-2022-01 Insecure defaults: auth.login.prompt.enabled
CVE-2022-28978 Stored XSS with user name in site membership
CVE-2022-28979 XSS in Custom Facet widget
CVE-2021-38263 Reflected XSS with Script page
CVE-2021-38266 DoS vulnerability prevents LDAP users from authenticating
CVE-2021-38268 Site member can add new forms by default
CVE-2021-38269 Stored XSS with Gogo Shell output
CST-7229 Mail server DoS via MembershipRequestService
CVE-2021-29040 Overly verbose JSON web services errors
CVE-2021-29043 S3 store's proxy password visible in System Settings
CVE-2021-29044 Stored XSS with membership request comment
CVE-2021-33320 Flagging content as inappropriate is not rate limited
CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password
CVE-2021-33322 Password change does not invalidate password reset tokens
CVE-2021-33323 Unauthenticated form drafts are visible to everybody
CVE-2021-33324 Unauthorized users can view a site's pages via page administration
CVE-2021-33325 User's unencrypted passwords stored in database
CVE-2021-33326 XSS with the title of a modal window
CVE-2021-33328 Stored XSS with Web Content Structure names and Document Types names in Categories Admin
CVE-2021-33331 Open redirect vulnerability in notifications
CVE-2021-33332 Reflected XSS with portletId in Look and Feel Configuration
CVE-2021-33333 Unauthorized users can view and delete workflow submissions
CVE-2021-33334 Unauthorized users can view forms and form entries
CVE-2021-33335 Non-company admins can edit company admins
CVE-2021-33338 Adding pages exposes CSRF token
CVE-2022-26596 Stored XSS with Template name
CST-7224 Stored XSS with user name in Document & Media file info panel
CST-7225 OAuth2 authentication bypass of REST application API
CST-7226 Open redirect in System Settings' search
CST-7310 Reflected XSS in Page Fragments' edit page
CST-7317 DoS vulnerability with multipart/form-data requests
CST-7150 JAX-RS APIs are vulnerable to CSRF
CST-7213 Java deserialization vulnerability in clustered setup
CST-7214 LDAP credentials exposed by 'Test LDAP Connection'
CST-7215 SSRF vulnerability via DDM REST Data Provider
CST-7216 Multiple XSS vulnerabilities in 7.1.3 and 7.2.1
CST-7217 Downloading MySQL Connector/J is vulnerable to MITM attacks
CST-7218 Libraries with known vulnerabilities in 7.1.3 and 7.2.1
CST-7219 Documents and Media file extension restriction circumvention
CST-7220 Directory traversal with Page Fragment exports
CST-7221 Flag email injection vulnerability
CST-7222 Any user can display unconfigured instance of an instantiable widget
CST-7223 Private site disclosure via Blogs RSS
CST-7301 DDMDataProvider API leaks REST data provider password
CST-7302 Remote code execution with FreeMarker/Velocity templates
CST-7303 Circumvention of open redirect prevention using tabs
CST-7114 Security vulnerabilities in Apache Tika
CST-7144 Vulnerabilities in Lodash 4.17.4
CST-7145 User enumeration via forget password
CST-7146 Security vulnerability in Jackson Databind 2.9.8
CST-7147 Security vulnerability in Jasig CAS Client 3.1.12
CST-7148 Security vulnerability in Apache Commons BeanUtils 1.9.2
CST-7149 Security vulnerability in Apache Tika 1.20
CST-7211 User can change password without current password
CST-7212 Passwords are emailed to users by default
CST-7204 Mail server DoS using /user/send-password-by-*
CST-7205 Unauthenticated Remote code execution via JSONWS
CST-7206 Hello World widget reveals portal version information
CST-7208 'leaflet' loaded using HTTP
CST-7209 Search results redirects users to non-https links
CST-7210 Email and password disclosure in Sign In
CST-7113 Remote Code Execution using Web Content/DDM templates
CST-7129 Pre-defined permissions for roles
CST-7127 Path traversal vulnerability in Poller
CST-7128 Open redirect in Language Selector widget
CST-7131 Libraries with known vulnerabilities
CST-7132 Unauthorized users can view web content articles via display pages
CST-7133 Multiple permission vulnerabilities in 7.1 CE GA4
CST-7134 Password policies regular expression truncation
CST-7135 Multiple XSS vulnerabilities in 7.1 CE GA4
CST-7136 OpenID phishing attack vulnerability
CST-7137 SSRF vulnerability via XSLT
CST-7138 SQL injection in asset framework
CST-7139 User password is visible on screen
CST-7140 DoS vulnerability via unresponsive DNS servers
CST-7141 RCE using JSON Deserialization in templates
CST-7142 'virtual.hosts.valid.hosts' bypass via 'X-Forwarded-Host' header
CST-7143 LDAP credentials is transmitted in plain text
CST-7130 Multiple XSS vulnerabilities in 7.1 CE GA3
CST-7125 SSRF vulnerability via DDM REST Data Provider
CST-7124 Anonymous message boards post can be associated with a user
CST-7123 Company secret key is accessible via templates
CST-7126 Password info recorded in logs
CST-7122 Multiple permission vulnerabilities in 7.1 CE GA3
CST-7121 Anonymous message boards post can be associated with a user
CST-7120 Open redirect in <liferay-ui:header>
CST-7115 Stored XSS with image resolutions in Adaptive Media
CST-7116 Multiple permission vulnerabilities in 7.1 CE GA2
CST-7117 Unverified password change
CST-7118 User login is vulnerable to CSRF
CST-7119 Overly verbose error message
CST-7110 Path traversal vulnerability in templates
CST-7111 RCE via JSON deserialization
CST-7112 Password reset token leaked to 3rd party sites
CST-7109 XXE vulnerability in XSL Content & Web Content
CST-7106 SSRF vulnerability via templates
CST-7107 HTML injection in notification emails
CST-7108 User can change password without entering current password
CST-7104 Multiple permission vulnerabilities in 7.1 CE GA1
CST-7105 LDAP injection
CST-7103 Multiple XSS vulnerabilities in 7.1 CE GA1
CST-7102 Open redirect vulnerability with Blogs RSS and tunnel-web
CST-7101 Password changes does not terminate other sessions
Powered by Liferay™
Legal
Compliance
Privacy Policy
本网站使用 Cookie
我们使用 Cookie 来提供个性化内容、分析趋势、管理网站、跟踪用户在网站上的活动,以及收集有关我们整个用户群的受众信息。接受所有 Cookie 可在我们的网站上获得最佳体验或管理您的偏好设置。 访问我们的《隐私政策》
