33 matches found
Nerdbank.MessagePack has Inefficient CPU Computation
Impact Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a On² algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add metho...
EUVD-2025-25185
Malicious code in bioql PyPI...
Improper Access Control
com.liferay, com.liferay.portal.workflow.kaleo.runtime.impl is vulnerable to Improper Access Control. The vulnerability is due to improper access through the expandoTableLocalService, which allows an attacker to gain unauthorized access to sensitive resources...
Liferay Portal allows improper access through the expandoTableLocalService
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improp...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the TemplateNotificationMessageGenerator. An attacker can gain unauthorized access to restricted information from expandoTableLocalService by sending crafted requests to the affected service. Remediation Upgrad...
CVE-2025-43773
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improp...
CVE-2025-43773
CVE-2025-43773 affects Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP versions up to 2025.Q2.0/2025.Q1.x and earlier 7.4 GA updates. The root cause is improper access control via expandoTableLocalService, leading to unauthorized access to data. Connected sources confirm the affected versions and ...
CVE-2025-43773
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improp...
Liferay Portal和Liferay DXP 安全漏洞
Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...
CVE-2025-43738
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19...
CVE-2025-43738
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19...
CVE-2025-43738
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19...
CVE-2025-43738
CVE-2025-43738 : A reflected XSS in Liferay Portal/DXP allows a remote authenticated user to inject JavaScript via the _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. Affected: Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP 2025.Q2.0–Q2.8, 2025.Q1.0–Q1.15, 2024.Q4.0–Q4.7, 2...
PT-2025-33744 · Liferay · Liferay Dxp +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...
Liferay Portal 7.4.x < 7.4.3.4 Multiple Vulnerabilities
The version of Liferay Portal installed on the remote host is prior to 7.4.3.4. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory. - The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pac...
Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting
Stored cross-site scripting XSS vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to...
GHSA-CR36-3VQF-X5W5 Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting
Stored cross-site scripting XSS vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to...
CVE-2024-25601
Stored cross-site scripting XSS vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to...
CVE-2024-25601
CVE-2024-25601 affects the Expando module geolocation custom fields in Liferay Portal 7.2.0–7.4.2 and older unsupported versions, and Liferay DXP 7.3 before SP3, 7.2 before FP17. It is a stored XSS vulnerability allowing remote authenticated users to inject arbitrary web script or HTML via the na...
CVE-2024-25601
Stored cross-site scripting XSS vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to...