PT-2025-34147 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...

Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels

A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...

CVE-2025-43744

A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...

CVE-2025-43744

A stored, DOM-based XSS in Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP 2024–2025 (various Qx updates) via the Asset Publisher UI in Source.js, allowing JavaScript injection through DDM structure field labels inserted into the DOM via innerHTML without proper encoding. Impact is client-side XSS...

CVE-2025-43744

A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...

KGMark: a Diffusion Watermark for Knowledge Graphs

Knowledge graphs KGs are ubiquitous in numerous real-world applications, and watermarking facilitates protecting intellectual property and preventing potential harm from AI-generated content. Existing watermarking methods mainly focus on static plain text or image data, while they can hardly be...

CVE-2023-6938

The Oxygen Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom field in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above...

CVE-2021-38268

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site...

CVE-2025-46579

There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed...

ZTE GoldenDB 安全漏洞

ZTE GoldenDB is a financial-grade transactional distributed database from China's ZTE Corporation ZTE. It is used in finance, government and enterprise, telecom and other industries to provide highly available data services. ZTE GoldenDB suffers from a DDE injection vulnerability, which can be...

Important: Red Hat Security Advisory: python-jinja2 security update

An update for python-jinja2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availab...

Uninitialized Memory Exposure

Overview com.liferay:com.liferay.dynamic.data.mapping.form.web is a Liferay Dynamic Data Mapping Form Web. Affected versions of this package are vulnerable to Uninitialized Memory Exposure due to insufficient permission checks in the doServeResource function in...

Moderate: Red Hat Security Advisory: python-jinja2 security update

An update for python-jinja2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availabl...

CVE-2024-25603

Stored cross-site scripting XSS vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users...

Important: Red Hat Security Advisory: python36:3.6 security update

An update for the python36:3.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Moderate: Red Hat Security Advisory: python3.9 security update

An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

Moderate: python3.11 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

Microsoft SQL Server Masked Data Exposure

Title: SQL Server Masked Data Exposure Through Brute Force Attack Product: Database Manufacturer: Microsoft Affected Versions: SQL Server 2014, 2016,2017,2019,2022 Tested Versions: SQL Server 2014, 2016,2017,2019,2022 Risk Level: Low Security Feature: Dynamic Data Masking Author of Advisory: Emad...

Cross-Site Scripting

liferay.portal are vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper input validation in the Dynamic Data Mapping module's DDMForm, allowing remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter...

GHSA-44JG-JGJX-3XG5 Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting

Stored cross-site scripting XSS vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users...