49 matches found
CVE-2025-62275
CVE-2025-62275 affects Liferay Portal 7.4.0–7.4.3.111 and older unsupported versions, and Liferay DXP 2023.Q3–2023.Q4, where images in blog entries bypass permission checks via crafted URLs. The issue stems from missing permission verification in image access within BlogsItemSelectorViewDisplayCo...
EUVD-2025-37387
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter...
CVE-2025-62266
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allow...
EUVD-2025-36377
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...
EUVD-2025-36360
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to...
PT-2025-44029
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.7 through 7.4.3.103 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP 7.4 GA through update 92 Liferay Portal 7.3 service pack 3 through update 36 Description The software contains multiple cross-site...
PT-2025-43572
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay Portal 7.4 GA through update 92...
EUVD-2025-34073
Liferay Publications is vulnerable to Incorrect Authorization...
CVE-2025-43821
Cross-site scripting XSS vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML v...
CVE-2025-43825
A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA...
EUVD-2025-28007
Malicious code in bioql PyPI...
EUVD-2025-27431
Malicious code in bioql PyPI...
CVE-2025-43820
Multiple cross-site scripting XSS vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allo...
CVE-2025-43817
Multiple reflected cross-site scripting XSS vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the redirect...
PT-2025-40020
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.117 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2024.Q1.1 through 2024.Q1.5 Liferay Portal 7.4 GA through update 92 Older...
CVE-2025-43813
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older...
GHSA-HRQM-QPW9-W8RV Liferay Portal and DXP vulnerable to a memory leak
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...
PT-2025-39451
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.119 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2024.Q4.10 Liferay DXP versions 2024.Q1.1 through 2024.Q1.5 Liferay versions 7.4 GA through update 92 Olde...
CVE-2025-43779
CVE-2025-43779 is a reflected XSS in Liferay Portal 7.4.0–7.4.3.112 and Liferay DXP 2024.Q1.1–2024.Q1.18, plus 7.4 GA through update 92. An authenticated remote attacker can inject and reflect JavaScript via the parameter _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinition...
CVE-2025-43803
Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...