13 matches found
Cross-site Scripting (XSS)
com.liferay, com.liferay.calendar.web is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of user-supplied input in the Calendar widget’s “Name” field, which allows an attacker to inject arbitrary web scripts or HTML via a crafted payload...
EUVD-2025-31650
Malicious code in bioql PyPI...
PT-2025-40044
Cross-site scripting XSS vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary we...
CVE-2025-43820
Multiple cross-site scripting XSS vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allo...
CVE-2025-43820
A validated XSS vulnerability in the Liferay Calendar widget allows remote attackers to inject arbitrary scripts via crafted input in the user’s First Name, Middle text, or Last Name fields. Affected are Liferay Portal 7.4.3.35–7.4.3.110 and Liferay DXP 2023.Q4.0–2023.Q4.4, plus 7.3 Update 25–35 ...
CVE-2025-43818
Cross-site scripting XSS vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary we...
PT-2025-39908
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.35 through 7.4.3.110 Liferay DXP versions 2023.Q4.0 through 2023.Q4.4 Liferay DXP versions 2023.Q3.1 through 2023.Q3.6 Liferay Portal versions 7.4 update 35 through update 92 Liferay Portal version 7.3 update 25...
GHSA-G4VP-4GQR-7V8C Liferay Portal Enumeration Discrepancy in Calendars
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by...
com.liferay:com.liferay.calendar.web (>=1.0.0 <=1.0.53), com.liferay:com.liferay.calevent.importer (>=1.0.0 <=1.0.11) potentially affected by CVE-2025-43739 via com.liferay:com.liferay.calendar.service (>=1.0.0 <=2.4.0)
com.liferay:com.liferay.calendar.service MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.11 Source cves: CVE-2025-43739 Source advisory: OSV:GHSA-7MXQ-H2R7-H449...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the calendar portlet. An attacker can alter the content of emails sent to other users by leveraging authenticated access, potentially enabling the distribution of deceptive messages within the same organization...
CVE-2024-25151
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote...
CVE-2024-25151
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote...
Liferay Calendar exportFileName Path Manipulation
Minded Security Labs: Advisory MSA261009 Liferay Calendar "exportFileName" path manipulation Tested Versions: Liferay Enterprise Portal 4.4.2, other versions may also be affected. Minded Security ReferenceID: MSA261009 Credits: Discovery by Stefano Di Paola of Minded Security stefano.dipaola at...