28 matches found
Cross-Site Request Forgery (CSRF)
Liferay Portal is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper validation of requests in the Headless API endpoint parameter, which allows a remote attacker to execute arbitrary Headless API calls by crafting a malicious request...
CVE-2025-62258
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
CVE-2025-62260
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
Liferay Portal Vulnerable to CSRF in Headless APIs
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
EUVD-2025-36377
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
GHSA-VGQX-447M-WVCJ Liferay Portal Vulnerable to DoS via Crafted Headless API Request
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
EUVD-2025-36371
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
CVE-2025-62258
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
CVE-2025-62258
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
CVE-2025-62258
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...
CVE-2025-62258
CSRF in Headless API of Liferay Portal and Liferay DXP affects multiple releases: Liferay Portal 7.4.0–7.4.3.107 and Liferay DXP 2023.Q3.1–2023.Q3.4, plus 7.4 GA up to update 92 and 7.3 GA up to update 35, and older unsupported versions. The vulnerability allows remote attackers to execute any He...
CVE-2025-62260
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
CVE-2025-62260
CVE-2025-62260 affects Liferay Portal 7.4.0–7.4.3.99 and Liferay DXP 2023.Q3.1–2023.Q3.4 (also 7.4 GA up to update 92 and 7.3 GA up to update 35; older unsupported versions) where the Headless API does not limit the number of returned objects. This enables remote attackers to trigger denial-of-se...
CVE-2025-62260
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
CVE-2025-62260
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
PT-2025-44063
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.107 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay Portal versions 7.4 GA through update 92 Description A Cross-Site Request Forgery CSRF...
Liferay Portal和Liferay DXP 资源管理错误漏洞
Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...
PT-2025-44052
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.99 Liferay Portal versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Description The software does not limit the numbe...
EUVD-2024-37060
Malicious code in bioql PyPI...
GHSA-HRQM-QPW9-W8RV Liferay Portal and DXP vulnerable to a memory leak
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...