CVE-2025-62248

A reflected cross-site scripting XSS vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the comliferayportalsecurityauditwebportletAuditPortletauditEventId parameter. An attacker can access audit events belonging to a different virtual instance by specifying the identifi...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the render function used by the My Account widget. An attacker can perform administrative actions, execute arbitrary code, and alter user settings by convincing a user to follow a link including a...

CVE-2021-29041

Denial-of-service DoS vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by 1 enabling Time-based One-time password TOTP on behalf of the other user or 2 modifying the other...