CVE-2025-62252

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in o...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

EUVD-2025-25271

Malicious code in bioql PyPI...

Cross-site Scripting (XSS)

Liferay Portal is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient input sanitization due to improper handling of the comliferayusersadminwebportletUsersAdminPortletassetTagNames parameter, allowing remote authenticated attackers to inject JavaScript...

CVE-2025-43741

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows ...

PT-2025-34040 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.14 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...

CVE-2024-3164

In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System...

CVE-2008-0182

Cross-site request forgery CSRF vulnerability in the Admin portlet in Liferay Portal before 4.4.0 allows remote authenticated users to perform unspecified actions as unspecified other authenticated users via the Shutdown message...

PT-2024-13048 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.3 through 7.4.3.97 Liferay DXP 2023.Q3 before patch 6 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 before update 34 Description: A reflected cross-site scripting XSS issue exists on the add assignees to a...

CVE-2021-38267

Cross-site scripting XSS vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the comliferayblogswebportletBlogsAdminPortlettitle and...

Liferay Portal和Liferay DXP 跨站脚本漏洞

Liferay Portal and Liferay DXP are both products of Liferay Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP ...

CVE-2014-3416

CVE-2014-3416 affects uPortal prior to 4.0.13.1. The vulnerability arises from an improper check of MANAGE permissions, enabling remote authenticated users to manage arbitrary portlets by abusing the portlet-admin portlet’s SUBSCRIBE permission. The impact is the potential modification/management...

Cross site scripting

Cross-site scripting XSS vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message...

CVE-2008-0182

Cross-site request forgery CSRF vulnerability in the Admin portlet in Liferay Portal before 4.4.0 allows remote authenticated users to perform unspecified actions as unspecified other authenticated users via the Shutdown message...

CVE-2008-0181

The CVE-2008-0181 issue affects Liferay Portal 4.3.6, where the Admin portlet’s Shutdown message fails to validate input, enabling remote authenticated users to inject arbitrary script/HTML. The vulnerability is an XSS in the Shutdown message display. The Red Hat/NVD entries corroborate the same ...

Liferay Portal Admin portlet Shutdown message XSS

Overview Liferay Portal Admin portlet fails to properly validate input to the shutdown message, which can allow a remote, authenticated attacker to inject script into the message displayed to all users when the server is being shut down. Description Liferay Portal is an enterprise portal solution...