CVE-2022-42120 - How a Fragment Module SQL Injection Left Liferay Portal Exposed
Liferay Portal is a popular open-source digital experience software, widely used for portals, intranets, and websites. But in 2022, security researchers discovered a worrying flaw—
CVE-2022-42121 SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA. It can allow remote attackers to execute arbitrary SQL commands.
CVE-2019-1841 was confirmed to exist in Liferay. When exploited, the issue allows unauthenticated attackers to execute arbitrary SQL commands in the SQL database, obtain access
CVE-2022-42123 The Elasticsearch Connector and Liferay DXP have a Zip Slip vulnerability. They can overwrite existing files on the filesystem.
This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled
CVE-2022-40405 The online community platform v4.1.2 was found to have a SQL injection vulnerability.
By sending a request with the parameter ‘offset=XX’, a remote attacker can inject SQL statements that will be executed against the database.
An attacker
CVE-2022-43688 Concrete CMS 8.5.10 and 9.0.0 to 9.1.2 is vulnerable to Stored XSS because the Microsoft application tile color is not sanitized.
This issue does not affect versions of Concrete CMS below 8.5.10 or above 8.5.10 if the Microsoft application tile color is
Episode
00:00:00
00:00:00