Liferay Portal and Liferay DXP allows arbitrary injection via the site name

Cross-site scripting XSS vulnerability in the Layout module's Open Graph integration before 2.0.4 in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name...

Prototype Pollution

open-graph is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...