209 matches found
Files or Directories Accessible to External Parties
Overview Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties files uploaded by object entry and stored in documentlibrary, via URL. Remediation Upgrade com.liferay:com.liferay.object.dynamic.data.mapping.form.field.type to version 1.0.65 or...
Allocation of Resources Without Limits or Throttling
Overview com.liferay:com.liferay.dynamic.data.mapping.form.web is a Liferay Dynamic Data Mapping Form Web. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the lack of temporary file deletions in the forms upload field. An attacker c...
com.liferay:com.liferay.dynamic.data.lists.form.web (>=1.0.0 <=2.0.14), com.liferay:com.liferay.dynamic.data.mapping.form.renderer (>=2.0.0 <=2.1.15) +17 more potentially affected by CVE-2025-43762 via com.liferay:com.liferay.dynamic.data.mapping.form.field.type (=2.0.0)
com.liferay:com.liferay.dynamic.data.mapping.form.field.type MAVEN version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on com.liferay:com.liferay.dynamic.data.mapping.form.field.type and may be impacted: -...
CVE-2025-43746
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43757
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the attachment upload functionality. An attacker can exhaust system resources and disrupt service availability by uploading an unlimited number of files to the documentlibrary...
Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the portletNamespace and namespace of the Dynamic Data Mapping portlet. An attacker can execute arbitrary JavaScript code in the context of the user's browser by injecting malicious input into these...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the definition parameter of Dynamic Data Mapping portlet. An authenticated attacker can execute arbitrary JavaScript code in the context of a user's browser by crafting a malicious request and tricking a use...
GHSA-MPWW-R37C-VXJW Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
GHSA-62PF-HCWJ-RCFC Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43757
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43757
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43746
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43746
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7....
CVE-2025-43746
CVE-2025-43746 is a reflected XSS vulnerability affecting Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP 2025.Q1.0–Q2.2, 2024.Q1.1–Q4.7, and 7.4 GA up to update 92. The root cause is parameter-based injection via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_l...
Files or Directories Accessible to External Parties
Overview com.liferay:com.liferay.dynamic.data.mapping.form.web is a Liferay Dynamic Data Mapping Form Web. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the DDMFormUploadFileEntryHandler. An attacker can access files uploaded through...
Arbitrary File Upload
Overview com.liferay:com.liferay.dynamic.data.mapping.form.web is a Liferay Dynamic Data Mapping Form Web. Affected versions of this package are vulnerable to Arbitrary File Upload via the form attachment field without adequate validation. An attacker can upload files with obfuscated extensions a...
PT-2025-34144 · Liferay · Liferay Portal +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...