PT-2025-39902

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.35 through 7.4.3.110 Liferay DXP versions 2023.Q3.1 through 2023.Q3.6 Liferay DXP versions 2023.Q4.0 through 2023.Q4.4 Liferay Portal versions 7.4 update 35 through update 92 Liferay Portal version 7.3 update 25...

Esri Portal For ArcGIS 跨站脚本漏洞

Esri Portal For ArcGIS is a component from Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal for ArcGIS version 11.4 and earlier, which stems from a stored...

CVE-2025-29156

The CVE-2025-29156 entry concerns the Swagger Petstore sample (petstore) software, version 1.0.7, with a Cross Site Scripting (XSS) vulnerability in the /api/v3/pet endpoint. The root cause is input handling that allows crafted scripts to be processed, enabling a remote attacker to execute arbitr...

GHSA-JH9H-8XF2-25WJ Liferay has a stored cross-site scripting (XSS) vulnerability via a a publication’s “Name” text field

Stored cross-site scripting XSS vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web scripts or HTML via a crafte...

CVE-2025-43807

Stored cross-site scripting XSS vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted...

CVE-2025-43802

Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...

CVE-2025-43800

Cross-site scripting XSS vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a...

Liferay search widget vulnerable to Cross-site Scripting

There is a Cross-site scripting XSS vulnerability in Liferay Portal's Search widget . Versions 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allow remote attackers to inject arbitrary web scripts or HTML via the...

GHSA-VG6H-G5MR-9HGV Liferay Stored Cross-site Scripting vulnerability

Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35 allows remote attackers to inject arbitrary web...

PT-2025-38092

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.93 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Description: A cross-site scripting XSS vulnerability exists in the Search widget. This allows remote attackers ...

GHSA-JFV5-R382-XVWH Liferay Portal Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a...

CVE-2025-43800

Cross-site scripting XSS vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a...

CVE-2025-43800

Cross-site scripting XSS vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a...

CVE-2025-43800

CVE-2025-43800 affects Liferay Portal/ Liferay DXP where a vulnerability in Rich Text fields of Objects allows remote attackers to inject arbitrary scripts via crafted payloads. Affected: Liferay Portal 7.4.3.20–7.4.3.111 and Liferay DXP 2023.Q4.0, 2023.Q3.1–2023.Q3.4, and 7.4 GA through update 9...

CVE-2025-43791

Multiple cross-site scripting XSS vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

CVE-2025-43783

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML vi...

GHSA-66X6-8JGV-QPFH Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting

A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks...

CVE-2025-43785

Stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks pa...

CVE-2025-43785

Stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks pa...

PT-2025-37067

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.45 through 7.4.3.128 Liferay DXP versions 2024 Q1.1 through 2024.Q1.12 Liferay DXP versions 2024 Q2.0 through 2024.Q2.9 Liferay versions 7.4 update 45 through update 92 Description: A stored cross-site scripting...