CVE-2024-4994

Removed by vendor...

Denial Of Service (DoS)

Liferay Portal is vulnerable to Denial Of Service DoS. The vulnerability is due to missing or insufficient validation of GraphQL query depth and complexity, allows attackers to craft overly complex queries that overwhelm the server...

CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

Allocation of Resources Without Limits or Throttling

Overview com.liferay:com.liferay.portal.vulcan.impl is a Liferay Portal Vulcan Implementation Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of restrictions on the depth of GraphQL queries. An attacker can exhaust system...

GHSA-8C26-XM99-53W7 Liferay Portal does not limit the depth of a GraphQL queries

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

Liferay Portal does not limit the depth of a GraphQL queries

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on t...

CVE-2025-3602

CVE-2025-3602 affects Liferay Portal and Liferay DXP (7.4.0–7.4.3.97; 7.3/7.2 lines) where an unrestricted GraphQL query depth allows remote attackers to cause DoS by executing deeply nested queries. The root cause is failure to cap GraphQL query depth, per multiple vendors/advisories in the conn...

PT-2025-25554 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.2 fix pack 8 through fix pack 20 Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.97 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +7053 more potentially affected by CVE-2025-41234 via org.springframework:spring-web (>=6.1.0 <=6.1.20)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2025-41234 Source advisory: OSV:GHSA-6R3C-XF4W-JXJM...

CVE-2024-57189

In Erxes 1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

Incorrect Access Control

Erxes is vulnerable to Incorrect Access Control. The vulnerability is due to authentication bypass due to improper validation of the User HTTP header, allowing attackers to impersonate users and access any GraphQL endpoint...

GraphQL Unauthenticated Mutation Detected

GraphQL is an open-source query and manipulation language for APIs. Unlike regular queries that only read data, mutations are operations designed to modify data on the server. When GraphQL APIs allow mutation operations without requiring proper authentication, attackers can manipulate, insert,...

GHSA-7RHV-XM4Q-WH42 Erxes Incorrect Access Control vulnerability

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

Erxes Incorrect Access Control vulnerability

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...

CVE-2024-57190

Erxes 1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint...