CVE-2022-40308 If anonymous read enabled, it's possible to read the database file directly without logging in.
This is a serious security risk as the data in the database is not stored in a secured way. You should only enable this feature
CVE-2022-42122 - SQL Injection in Liferay Portal’s Friendly Url Module Explained
CVE-2022-42122 is a serious SQL injection vulnerability found in the Friendly Url module of Liferay Portal 7.3.7 and Liferay DXP (fix pack 2
CVE-2022-42120 - How a Fragment Module SQL Injection Left Liferay Portal Exposed
Liferay Portal is a popular open-source digital experience software, widely used for portals, intranets, and websites. But in 2022, security researchers discovered a worrying flaw—
CVE-2022-42121 SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA. It can allow remote attackers to execute arbitrary SQL commands.
CVE-2019-1841 was confirmed to exist in Liferay. When exploited, the issue allows unauthenticated attackers to execute arbitrary SQL commands in the SQL database, obtain access
CVE-2022-42123 The Elasticsearch Connector and Liferay DXP have a Zip Slip vulnerability. They can overwrite existing files on the filesystem.
This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled
Episode
00:00:00
00:00:00