CVE-2018-1473 An issue was discovered in Liferay Portal 7.4.3.4. When editing blog or profile details via the Object module, an XSS vulnerability could allow remote attackers to inject arbitrary code into the system via a crafted payload in the object field's `Label` text field. An attacker could leverage this vulnerability to inject script or HTML code into the system, obtaining access to internal data or other privileges. An issue was discovered in Liferay Portal 7.4.3.4. When editing blog or profile details via the Object module, an XSS vulnerability could allow remote attackers to inject arbitrary code into the system via a crafted payload in the object field's `Label` text field. An attacker could leverage this vulnerability to inject script or HTML code into the system, obtaining access to internal data or other privileges. CVE-2018-1479 Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to conduct clickjacking attacks on the login page via a crafted URL. The clickjacking issue exists due to the lack of verification of the request header 'X-Frame-Options'. An attacker could leverage this vulnerability to make a fake login request, tricking the user into clicking a malicious link that could lead to phishing or other attacks. CVE-2018-1478 Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to conduct
How to update nowiki
In order to update the article, please follow these steps:
1. Log in to the WordPress site and navigate to "Settings"
2. Scroll down the page until you find "Forum settings"
3. Click on "Forum default settings"
4. Uncheck the box next to "Allow custom stylesheets"
Authentication Bypass Through Reflected Cross-Site Scripting
Liferay Portal 7.4.3.36 through 7.4.3.44 allows remote attackers to conduct authentication bypass attacks and inject arbitrary HTML or JavaScript via a crafted URL delivered during the login process, related to an XSS vulnerability in the `login` action of the `org.liferay.portal.actions` package that is triggered when handling an exception from the session creation process in `org.liferay.portal.*`.
Authentication Bypass
Liferay Portal 7.4.3.36 through 7.4.3.41 allows remote attackers to conduct authentication bypass attacks via a crafted request to the search service module, which causes the target's session to be logged out without a corresponding failover into another session or application. Liferay Portal 7.4.3.36 through 7.4.3.41 allows remote attackers to conduct authentication bypass attacks via a crafted request to the search service module, which causes the target's session to be logged out without a corresponding failover into another session or application.
Timeline
Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:09:00 UTC