Cross-site Scripting (XSS)

com.liferay.portal, release.portal.bom is vulnerable to Stored DOM-based Cross-Site Scripting XSS. The vulnerability is due to improper handling of DDM structure field labels in the Asset Publisher configuration UI within the Source.js module, where values are inserted into the DOM using innerHTM...

Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels

A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...

CVE-2025-43744

A stored, DOM-based XSS in Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP 2024–2025 (various Qx updates) via the Asset Publisher UI in Source.js, allowing JavaScript injection through DDM structure field labels inserted into the DOM via innerHTML without proper encoding. Impact is client-side XSS...

PT-2025-33857 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...