CVE-2025-62267

Multiple cross-site scripting XSS vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary we...

PT-2025-44661

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.35 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay Portal versions 7.4 update 35 through update 92 Description The software contains...

GHSA-8HW3-GHWV-CRFH Liferay Portal vulnerable to password enumeration

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers t...

PT-2025-44052

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.99 Liferay Portal versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Description The software does not limit the numbe...

CVE-2025-62249

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,...

CVE-2025-62241

Insecure Direct Object Reference IDOR vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the...

EUVD-2025-34077

Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key...

CVE-2025-62241

Insecure Direct Object Reference IDOR vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the...

EUVD-2025-34074

Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key...

CVE-2025-62244

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edi...

Liferay DXP 安全漏洞

Liferay DXP is a suite of digital experience collaboration platforms from Liferay USA. A security vulnerability exists in Liferay DXP versions 2023.Q4.1 through 2023.Q4.5, which stems from the comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId An insecure direct object...

EUVD-2025-25497

Malicious code in bioql PyPI...

EUVD-2025-29258

Malicious code in bioql PyPI...

EUVD-2025-25620

Malicious code in bioql PyPI...

EUVD-2025-27275

Malicious code in bioql PyPI...

CVE-2025-43811

Multiple stored cross-site scripting XSS vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 update 50 through update 92 allows remote authenticated attackers to inject arbitrar...

CVE-2025-43806

Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the SpSessionTerminationSamlPortalFilter. An attacker can gain unauthorized access to user accounts by reusing old session tokens via the SLO API, causing the session to be reinitialized when it should...

CVE-2025-43819

A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old...

CVE-2025-43779

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via...