Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.fp28
Typemaven
Namespacecom.liferay.portal
Namerelease.dxp.bom
Version7.1.10.fp28
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.4.13.u93
Latest_non_vulnerable_version7.4.13.u93
Affected_by_vulnerabilities
0
url VCID-1fqz-psdf-g7dm
vulnerability_id VCID-1fqz-psdf-g7dm
summary 
Liferay Portal and Liferay DXP User Enumeration Vulnerability
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26268
reference_id
reference_type
scores
0
value 0.00304
scoring_system epss
scoring_elements 0.54027
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26268
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93
3
reference_url https://github.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268
reference_id CVE-2024-26268
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T16:17:11Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26268
reference_id CVE-2024-26268
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26268
6
reference_url https://github.com/advisories/GHSA-qm43-g2xj-hvg5
reference_id GHSA-qm43-g2xj-hvg5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qm43-g2xj-hvg5
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-e5h2-wvws-3yhq
2
vulnerability VCID-ebmm-3qj1-8uec
3
vulnerability VCID-ebzh-bpks-5qe2
4
vulnerability VCID-euw1-6mk1-n3he
5
vulnerability VCID-fxtu-zgpf-cbhs
6
vulnerability VCID-p4nc-ucxy-sydb
7
vulnerability VCID-rtqu-78p2-buej
8
vulnerability VCID-vsg8-h11j-63ge
9
vulnerability VCID-xe2v-j69t-d3h3
10
vulnerability VCID-xu7c-vz69-duhp
11
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u8
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-e5h2-wvws-3yhq
2
vulnerability VCID-ebzh-bpks-5qe2
3
vulnerability VCID-euw1-6mk1-n3he
4
vulnerability VCID-rtqu-78p2-buej
5
vulnerability VCID-tqvb-a46r-jbf8
6
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u8
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u27
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u27
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-cj4m-mvzh-ckh4
5
vulnerability VCID-d8m3-apv8-zfe1
6
vulnerability VCID-e5h2-wvws-3yhq
7
vulnerability VCID-ebzh-bpks-5qe2
8
vulnerability VCID-gkn8-ehfa-3ugx
9
vulnerability VCID-nntr-5xwu-tya3
10
vulnerability VCID-tqvb-a46r-jbf8
11
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u27
aliases CVE-2024-26268, GHSA-qm43-g2xj-hvg5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1fqz-psdf-g7dm
1
url VCID-266t-4gfq-duh4
vulnerability_id VCID-266t-4gfq-duh4
summary 
Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel
Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25150
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.38467
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25150
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86
3
reference_url https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc
4
reference_url https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04
5
reference_url https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc
6
reference_url https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d
7
reference_url https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0
8
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150
reference_id CVE-2024-25150
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-20T14:56:08Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25150
reference_id CVE-2024-25150
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25150
10
reference_url https://github.com/advisories/GHSA-4585-28v2-8h46
reference_id GHSA-4585-28v2-8h46
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4585-28v2-8h46
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-e5h2-wvws-3yhq
3
vulnerability VCID-ebmm-3qj1-8uec
4
vulnerability VCID-ebzh-bpks-5qe2
5
vulnerability VCID-euw1-6mk1-n3he
6
vulnerability VCID-fxtu-zgpf-cbhs
7
vulnerability VCID-p4nc-ucxy-sydb
8
vulnerability VCID-rtqu-78p2-buej
9
vulnerability VCID-vsg8-h11j-63ge
10
vulnerability VCID-xe2v-j69t-d3h3
11
vulnerability VCID-xu7c-vz69-duhp
12
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-cxnv-25bg-rubj
3
vulnerability VCID-e5c7-wsvb-dyfm
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-ef5k-bdxm-xfer
7
vulnerability VCID-euw1-6mk1-n3he
8
vulnerability VCID-ggs5-4zac-vqa7
9
vulnerability VCID-menx-yu2z-xkeh
10
vulnerability VCID-rtqu-78p2-buej
11
vulnerability VCID-tqvb-a46r-jbf8
12
vulnerability VCID-xe2v-j69t-d3h3
13
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
aliases CVE-2024-25150, GHSA-4585-28v2-8h46
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-266t-4gfq-duh4
2
url VCID-7f43-u96s-qyeq
vulnerability_id VCID-7f43-u96s-qyeq
summary 
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in the Layout Admin Page
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29048
reference_id
reference_type
scores
0
value 0.00474
scoring_system epss
scoring_elements 0.65127
published_at 2026-06-04T12:55:00Z
1
value 0.00474
scoring_system epss
scoring_elements 0.65169
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29048
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29048
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29048
4
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601
5
reference_url https://web.archive.org/web/20210524222536/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210524222536/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601
6
reference_url https://github.com/advisories/GHSA-4fx8-82f3-xcpc
reference_id GHSA-4fx8-82f3-xcpc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4fx8-82f3-xcpc
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp11
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-5vyh-n1sc-sydy
4
vulnerability VCID-7gqd-78yq-r3be
5
vulnerability VCID-7zhe-ztqw-gkhh
6
vulnerability VCID-8jv6-163j-a7b2
7
vulnerability VCID-9471-umbz-pucy
8
vulnerability VCID-a7z8-2fzy-2qee
9
vulnerability VCID-a93n-jcyj-s7cb
10
vulnerability VCID-afe9-yqy2-8bdb
11
vulnerability VCID-b7h9-cxkj-hkc8
12
vulnerability VCID-cj4m-mvzh-ckh4
13
vulnerability VCID-e5c7-wsvb-dyfm
14
vulnerability VCID-e5h2-wvws-3yhq
15
vulnerability VCID-ebmm-3qj1-8uec
16
vulnerability VCID-ebzh-bpks-5qe2
17
vulnerability VCID-euw1-6mk1-n3he
18
vulnerability VCID-f9dw-g5c2-jba1
19
vulnerability VCID-fxtu-zgpf-cbhs
20
vulnerability VCID-ggs5-4zac-vqa7
21
vulnerability VCID-gp4p-wthk-k3hf
22
vulnerability VCID-h261-uqtv-yfek
23
vulnerability VCID-hrnu-4t2j-9qba
24
vulnerability VCID-hw1d-gdcv-vkec
25
vulnerability VCID-jkje-ckr9-6ffp
26
vulnerability VCID-k9yt-aj7x-3bht
27
vulnerability VCID-menx-yu2z-xkeh
28
vulnerability VCID-n6qs-hded-rydp
29
vulnerability VCID-p4nc-ucxy-sydb
30
vulnerability VCID-p9am-1rhf-6bh2
31
vulnerability VCID-rtqu-78p2-buej
32
vulnerability VCID-uug8-ap5n-r3g2
33
vulnerability VCID-vsg8-h11j-63ge
34
vulnerability VCID-xe2v-j69t-d3h3
35
vulnerability VCID-xu7c-vz69-duhp
36
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp11
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29048, GHSA-4fx8-82f3-xcpc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7f43-u96s-qyeq
3
url VCID-8jv6-163j-a7b2
vulnerability_id VCID-8jv6-163j-a7b2
summary 
Liferay Portal and Liferay DXP Does Not Properly Restrict Membership to Child Site Based on Parent Site Options
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25149
reference_id
reference_type
scores
0
value 0.00259
scoring_system epss
scoring_elements 0.49523
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25149
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/dfd287acb325e2cddced3910e3baba1d258509de
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/dfd287acb325e2cddced3910e3baba1d258509de
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149
reference_id CVE-2024-25149
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T17:46:50Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25149
reference_id CVE-2024-25149
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25149
5
reference_url https://github.com/advisories/GHSA-qpgh-6v9w-vfv6
reference_id GHSA-qpgh-6v9w-vfv6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qpgh-6v9w-vfv6
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-5vyh-n1sc-sydy
4
vulnerability VCID-7gqd-78yq-r3be
5
vulnerability VCID-9471-umbz-pucy
6
vulnerability VCID-9yw4-52sc-rbbz
7
vulnerability VCID-a7z8-2fzy-2qee
8
vulnerability VCID-b7h9-cxkj-hkc8
9
vulnerability VCID-cj4m-mvzh-ckh4
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebmm-3qj1-8uec
13
vulnerability VCID-ebzh-bpks-5qe2
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-fxtu-zgpf-cbhs
16
vulnerability VCID-ggs5-4zac-vqa7
17
vulnerability VCID-gp4p-wthk-k3hf
18
vulnerability VCID-h261-uqtv-yfek
19
vulnerability VCID-k9yt-aj7x-3bht
20
vulnerability VCID-menx-yu2z-xkeh
21
vulnerability VCID-n6qs-hded-rydp
22
vulnerability VCID-p4nc-ucxy-sydb
23
vulnerability VCID-p9am-1rhf-6bh2
24
vulnerability VCID-rtqu-78p2-buej
25
vulnerability VCID-vsg8-h11j-63ge
26
vulnerability VCID-xe2v-j69t-d3h3
27
vulnerability VCID-xu7c-vz69-duhp
28
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15
aliases CVE-2024-25149, GHSA-qpgh-6v9w-vfv6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8jv6-163j-a7b2
4
url VCID-9471-umbz-pucy
vulnerability_id VCID-9471-umbz-pucy
summary 
Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25605
reference_id
reference_type
scores
0
value 0.00186
scoring_system epss
scoring_elements 0.40263
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25605
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4
3
reference_url https://github.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130e
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605
reference_id CVE-2024-25605
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T16:21:08Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25605
reference_id CVE-2024-25605
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25605
6
reference_url https://github.com/advisories/GHSA-mf8h-grfg-j9j3
reference_id GHSA-mf8h-grfg-j9j3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mf8h-grfg-j9j3
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-7gqd-78yq-r3be
3
vulnerability VCID-9yw4-52sc-rbbz
4
vulnerability VCID-cj4m-mvzh-ckh4
5
vulnerability VCID-e5c7-wsvb-dyfm
6
vulnerability VCID-e5h2-wvws-3yhq
7
vulnerability VCID-ebmm-3qj1-8uec
8
vulnerability VCID-ebzh-bpks-5qe2
9
vulnerability VCID-euw1-6mk1-n3he
10
vulnerability VCID-fxtu-zgpf-cbhs
11
vulnerability VCID-ggs5-4zac-vqa7
12
vulnerability VCID-k9yt-aj7x-3bht
13
vulnerability VCID-menx-yu2z-xkeh
14
vulnerability VCID-p4nc-ucxy-sydb
15
vulnerability VCID-p9am-1rhf-6bh2
16
vulnerability VCID-rtqu-78p2-buej
17
vulnerability VCID-vsg8-h11j-63ge
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xu7c-vz69-duhp
20
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
aliases CVE-2024-25605, GHSA-mf8h-grfg-j9j3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9471-umbz-pucy
5
url VCID-a7z8-2fzy-2qee
vulnerability_id VCID-a7z8-2fzy-2qee
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25145
reference_id
reference_type
scores
0
value 0.00152
scoring_system epss
scoring_elements 0.35702
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25145
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145
reference_id CVE-2024-25145
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-08T17:02:17Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25145
reference_id CVE-2024-25145
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25145
4
reference_url https://github.com/advisories/GHSA-9vgq-w5pv-v77q
reference_id GHSA-9vgq-w5pv-v77q
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9vgq-w5pv-v77q
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-7gqd-78yq-r3be
3
vulnerability VCID-9yw4-52sc-rbbz
4
vulnerability VCID-cj4m-mvzh-ckh4
5
vulnerability VCID-e5c7-wsvb-dyfm
6
vulnerability VCID-e5h2-wvws-3yhq
7
vulnerability VCID-ebmm-3qj1-8uec
8
vulnerability VCID-ebzh-bpks-5qe2
9
vulnerability VCID-euw1-6mk1-n3he
10
vulnerability VCID-fxtu-zgpf-cbhs
11
vulnerability VCID-ggs5-4zac-vqa7
12
vulnerability VCID-k9yt-aj7x-3bht
13
vulnerability VCID-menx-yu2z-xkeh
14
vulnerability VCID-p4nc-ucxy-sydb
15
vulnerability VCID-p9am-1rhf-6bh2
16
vulnerability VCID-rtqu-78p2-buej
17
vulnerability VCID-vsg8-h11j-63ge
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xu7c-vz69-duhp
20
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-cxnv-25bg-rubj
3
vulnerability VCID-e5c7-wsvb-dyfm
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-ef5k-bdxm-xfer
7
vulnerability VCID-euw1-6mk1-n3he
8
vulnerability VCID-ggs5-4zac-vqa7
9
vulnerability VCID-menx-yu2z-xkeh
10
vulnerability VCID-rtqu-78p2-buej
11
vulnerability VCID-tqvb-a46r-jbf8
12
vulnerability VCID-xe2v-j69t-d3h3
13
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.13u8
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.13u8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.13u8
aliases CVE-2024-25145, GHSA-9vgq-w5pv-v77q
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a7z8-2fzy-2qee
6
url VCID-cj4m-mvzh-ckh4
vulnerability_id VCID-cj4m-mvzh-ckh4
summary 
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
reference_id
reference_type
scores
0
value 0.00175
scoring_system epss
scoring_elements 0.38795
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-17T21:24:48Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
4
reference_url https://github.com/advisories/GHSA-4hxr-28mv-q729
reference_id GHSA-4hxr-28mv-q729
reference_type
scores
url https://github.com/advisories/GHSA-4hxr-28mv-q729
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-gkn8-ehfa-3ugx
7
vulnerability VCID-tqvb-a46r-jbf8
8
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
aliases CVE-2024-11993, GHSA-4hxr-28mv-q729
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cj4m-mvzh-ckh4
7
url VCID-e5c7-wsvb-dyfm
vulnerability_id VCID-e5c7-wsvb-dyfm
summary 
Liferay Portal and Liferay DXP HTTP Header Can Expose Versions
In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26267
reference_id
reference_type
scores
0
value 0.00224
scoring_system epss
scoring_elements 0.45202
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26267
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95
3
reference_url https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c
4
reference_url https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2
5
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267
reference_id CVE-2024-26267
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T15:20:52Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26267
reference_id CVE-2024-26267
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26267
7
reference_url https://github.com/advisories/GHSA-2mvj-q2q3-wxjv
reference_id GHSA-2mvj-q2q3-wxjv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2mvj-q2q3-wxjv
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-e5h2-wvws-3yhq
3
vulnerability VCID-ebmm-3qj1-8uec
4
vulnerability VCID-ebzh-bpks-5qe2
5
vulnerability VCID-euw1-6mk1-n3he
6
vulnerability VCID-fxtu-zgpf-cbhs
7
vulnerability VCID-p4nc-ucxy-sydb
8
vulnerability VCID-rtqu-78p2-buej
9
vulnerability VCID-vsg8-h11j-63ge
10
vulnerability VCID-xe2v-j69t-d3h3
11
vulnerability VCID-xu7c-vz69-duhp
12
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u5
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-cxnv-25bg-rubj
3
vulnerability VCID-e5h2-wvws-3yhq
4
vulnerability VCID-ebzh-bpks-5qe2
5
vulnerability VCID-ef5k-bdxm-xfer
6
vulnerability VCID-euw1-6mk1-n3he
7
vulnerability VCID-ggs5-4zac-vqa7
8
vulnerability VCID-rtqu-78p2-buej
9
vulnerability VCID-tqvb-a46r-jbf8
10
vulnerability VCID-xe2v-j69t-d3h3
11
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u5
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u26
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u26
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-c3ym-wtv5-hfhr
5
vulnerability VCID-cj4m-mvzh-ckh4
6
vulnerability VCID-d8m3-apv8-zfe1
7
vulnerability VCID-e5h2-wvws-3yhq
8
vulnerability VCID-ebzh-bpks-5qe2
9
vulnerability VCID-ggs5-4zac-vqa7
10
vulnerability VCID-gkn8-ehfa-3ugx
11
vulnerability VCID-nntr-5xwu-tya3
12
vulnerability VCID-tqvb-a46r-jbf8
13
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u26
aliases CVE-2024-26267, GHSA-2mvj-q2q3-wxjv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e5c7-wsvb-dyfm
8
url VCID-e5h2-wvws-3yhq
vulnerability_id VCID-e5h2-wvws-3yhq
summary 
Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37940
reference_id
reference_type
scores
0
value 0.00175
scoring_system epss
scoring_elements 0.38795
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37940
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940
reference_id CVE-2023-37940
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-17T21:41:20Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37940
reference_id CVE-2023-37940
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37940
4
reference_url https://github.com/advisories/GHSA-px38-239g-x5mg
reference_id GHSA-px38-239g-x5mg
reference_type
scores
url https://github.com/advisories/GHSA-px38-239g-x5mg
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u30
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u30
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-euw1-6mk1-n3he
3
vulnerability VCID-rtqu-78p2-buej
4
vulnerability VCID-tqvb-a46r-jbf8
5
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u30
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-ezpm-x3vx-zfe6
3
vulnerability VCID-tqvb-a46r-jbf8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
aliases CVE-2023-37940, GHSA-px38-239g-x5mg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e5h2-wvws-3yhq
9
url VCID-ebmm-3qj1-8uec
vulnerability_id VCID-ebmm-3qj1-8uec
summary 
Liferay Portal and Liferay DXP Fails to Invalidate CAPTCHA Answers After Use
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29047
reference_id
reference_type
scores
0
value 0.00288
scoring_system epss
scoring_elements 0.52541
published_at 2026-06-04T12:55:00Z
1
value 0.00288
scoring_system epss
scoring_elements 0.52601
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29047
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29047
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29047
4
reference_url https://web.archive.org/web/20210524180455/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210524180455/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467
5
reference_url https://github.com/advisories/GHSA-9mxg-p873-6793
reference_id GHSA-9mxg-p873-6793
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9mxg-p873-6793
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29047, GHSA-9mxg-p873-6793
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebmm-3qj1-8uec
10
url VCID-euw1-6mk1-n3he
vulnerability_id VCID-euw1-6mk1-n3he
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Fragment Renderer Collection Filter Implementation before v1.0.11 from Liferay Portal (v7.4.3.4) and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T17:48:12Z/
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-28980
reference_id
reference_type
scores
0
value 0.00247
scoring_system epss
scoring_elements 0.48188
published_at 2026-06-04T12:55:00Z
1
value 0.00247
scoring_system epss
scoring_elements 0.48251
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-28980
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://github.com/liferay/liferay-portal/commit/b4ea3e9acb6c3602b9c90538ba35f11906dc07ed
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/b4ea3e9acb6c3602b9c90538ba35f11906dc07ed
4
reference_url https://liferay.atlassian.net/browse/LPE-17420
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.atlassian.net/browse/LPE-17420
5
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28980-reflected-xss-with-filter_-parameters-in-applied-fragment-filters?p_r_p_assetEntryId=121612438&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612438%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28980-reflected-xss-with-filter_-parameters-in-applied-fragment-filters?p_r_p_assetEntryId=121612438&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612438%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-28980
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-28980
7
reference_url https://web.archive.org/web/20221114081624/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20221114081624/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters
8
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
reference_id cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T17:48:12Z/
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
9
reference_url https://github.com/advisories/GHSA-8mp9-w7gr-pvj3
reference_id GHSA-8mp9-w7gr-pvj3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8mp9-w7gr-pvj3
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-9yw4-52sc-rbbz
5
vulnerability VCID-c3ym-wtv5-hfhr
6
vulnerability VCID-cj4m-mvzh-ckh4
7
vulnerability VCID-d8m3-apv8-zfe1
8
vulnerability VCID-e5c7-wsvb-dyfm
9
vulnerability VCID-e5h2-wvws-3yhq
10
vulnerability VCID-ef5k-bdxm-xfer
11
vulnerability VCID-ggs5-4zac-vqa7
12
vulnerability VCID-gkn8-ehfa-3ugx
13
vulnerability VCID-k9yt-aj7x-3bht
14
vulnerability VCID-menx-yu2z-xkeh
15
vulnerability VCID-rtqu-78p2-buej
16
vulnerability VCID-tqvb-a46r-jbf8
17
vulnerability VCID-uu3m-ef36-jqg7
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xn1n-5rgc-83bg
20
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
aliases CVE-2022-28980, GHSA-8mp9-w7gr-pvj3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-euw1-6mk1-n3he
11
url VCID-fxtu-zgpf-cbhs
vulnerability_id VCID-fxtu-zgpf-cbhs
summary 
Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29053
reference_id
reference_type
scores
0
value 0.00449
scoring_system epss
scoring_elements 0.6393
published_at 2026-06-04T12:55:00Z
1
value 0.00449
scoring_system epss
scoring_elements 0.63972
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29053
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29053
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29053
4
reference_url https://web.archive.org/web/20221121171927/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20221121171927/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120778225
5
reference_url https://github.com/advisories/GHSA-f9wj-c5pc-g9rh
reference_id GHSA-f9wj-c5pc-g9rh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f9wj-c5pc-g9rh
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29053, GHSA-f9wj-c5pc-g9rh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fxtu-zgpf-cbhs
12
url VCID-k9yt-aj7x-3bht
vulnerability_id VCID-k9yt-aj7x-3bht
summary 
Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-25608
reference_id
reference_type
scores
0
value 0.1765
scoring_system epss
scoring_elements 0.95235
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-25608
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae
3
reference_url https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608
reference_id CVE-2024-25608
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-20T17:50:15Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25608
reference_id CVE-2024-25608
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25608
6
reference_url https://github.com/advisories/GHSA-548x-j6x6-hcv4
reference_id GHSA-548x-j6x6-hcv4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-548x-j6x6-hcv4
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-e5h2-wvws-3yhq
3
vulnerability VCID-ebmm-3qj1-8uec
4
vulnerability VCID-ebzh-bpks-5qe2
5
vulnerability VCID-euw1-6mk1-n3he
6
vulnerability VCID-fxtu-zgpf-cbhs
7
vulnerability VCID-p4nc-ucxy-sydb
8
vulnerability VCID-rtqu-78p2-buej
9
vulnerability VCID-vsg8-h11j-63ge
10
vulnerability VCID-xe2v-j69t-d3h3
11
vulnerability VCID-xu7c-vz69-duhp
12
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-cj4m-mvzh-ckh4
2
vulnerability VCID-cxnv-25bg-rubj
3
vulnerability VCID-e5c7-wsvb-dyfm
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-ef5k-bdxm-xfer
7
vulnerability VCID-euw1-6mk1-n3he
8
vulnerability VCID-ggs5-4zac-vqa7
9
vulnerability VCID-menx-yu2z-xkeh
10
vulnerability VCID-rtqu-78p2-buej
11
vulnerability VCID-tqvb-a46r-jbf8
12
vulnerability VCID-xe2v-j69t-d3h3
13
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u19
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-c3ym-wtv5-hfhr
5
vulnerability VCID-cj4m-mvzh-ckh4
6
vulnerability VCID-d8m3-apv8-zfe1
7
vulnerability VCID-e5c7-wsvb-dyfm
8
vulnerability VCID-e5h2-wvws-3yhq
9
vulnerability VCID-ebzh-bpks-5qe2
10
vulnerability VCID-ggs5-4zac-vqa7
11
vulnerability VCID-gkn8-ehfa-3ugx
12
vulnerability VCID-menx-yu2z-xkeh
13
vulnerability VCID-nntr-5xwu-tya3
14
vulnerability VCID-tqvb-a46r-jbf8
15
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u19
aliases CVE-2024-25608, GHSA-548x-j6x6-hcv4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k9yt-aj7x-3bht
13
url VCID-n6qs-hded-rydp
vulnerability_id VCID-n6qs-hded-rydp
summary 
Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers
In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29038
reference_id
reference_type
scores
0
value 0.00094
scoring_system epss
scoring_elements 0.26352
published_at 2026-06-05T12:55:00Z
1
value 0.00094
scoring_system epss
scoring_elements 0.26248
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29038
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/5e2da784aeefce64107abd0411590db2b55faf0b
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/5e2da784aeefce64107abd0411590db2b55faf0b
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038
reference_id CVE-2021-29038
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:45:01Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29038
reference_id CVE-2021-29038
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29038
5
reference_url https://github.com/advisories/GHSA-mwhf-6mjm-6w3h
reference_id GHSA-mwhf-6mjm-6w3h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwhf-6mjm-6w3h
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-7gqd-78yq-r3be
3
vulnerability VCID-9yw4-52sc-rbbz
4
vulnerability VCID-cj4m-mvzh-ckh4
5
vulnerability VCID-e5c7-wsvb-dyfm
6
vulnerability VCID-e5h2-wvws-3yhq
7
vulnerability VCID-ebmm-3qj1-8uec
8
vulnerability VCID-ebzh-bpks-5qe2
9
vulnerability VCID-euw1-6mk1-n3he
10
vulnerability VCID-fxtu-zgpf-cbhs
11
vulnerability VCID-ggs5-4zac-vqa7
12
vulnerability VCID-k9yt-aj7x-3bht
13
vulnerability VCID-menx-yu2z-xkeh
14
vulnerability VCID-p4nc-ucxy-sydb
15
vulnerability VCID-p9am-1rhf-6bh2
16
vulnerability VCID-rtqu-78p2-buej
17
vulnerability VCID-vsg8-h11j-63ge
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xu7c-vz69-duhp
20
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29038, GHSA-mwhf-6mjm-6w3h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n6qs-hded-rydp
14
url VCID-p4nc-ucxy-sydb
vulnerability_id VCID-p4nc-ucxy-sydb
summary 
Liferay Portal and Liferay DXP Fails to Check Permissions
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29052
reference_id
reference_type
scores
0
value 0.00102
scoring_system epss
scoring_elements 0.27592
published_at 2026-06-04T12:55:00Z
1
value 0.00102
scoring_system epss
scoring_elements 0.27659
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29052
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29052
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29052
4
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743159
5
reference_url https://github.com/advisories/GHSA-pr7v-qv65-rp9m
reference_id GHSA-pr7v-qv65-rp9m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pr7v-qv65-rp9m
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29052, GHSA-pr7v-qv65-rp9m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p4nc-ucxy-sydb
15
url VCID-rtqu-78p2-buej
vulnerability_id VCID-rtqu-78p2-buej
summary 
Liferay Portal and Liferay DXP fails to check origin of event messages
The Remote App module before 2.0.21 from Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-25146
reference_id
reference_type
scores
0
value 0.0014
scoring_system epss
scoring_elements 0.33833
published_at 2026-06-05T12:55:00Z
1
value 0.0014
scoring_system epss
scoring_elements 0.33727
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-25146
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276b
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276b
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps?p_r_p_assetEntryId=121612000&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612000%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps?p_r_p_assetEntryId=121612000&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612000%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-25146
reference_id CVE-2022-25146
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-25146
6
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps
reference_id CVE-2022-25146-CSRF-TOKEN-EXFILTRATION-VIA-REMOTE-APPS
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps
7
reference_url https://github.com/advisories/GHSA-ghw5-998m-vw4w
reference_id GHSA-ghw5-998m-vw4w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ghw5-998m-vw4w
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-9yw4-52sc-rbbz
5
vulnerability VCID-c3ym-wtv5-hfhr
6
vulnerability VCID-cj4m-mvzh-ckh4
7
vulnerability VCID-d8m3-apv8-zfe1
8
vulnerability VCID-e5c7-wsvb-dyfm
9
vulnerability VCID-e5h2-wvws-3yhq
10
vulnerability VCID-ebzh-bpks-5qe2
11
vulnerability VCID-ef5k-bdxm-xfer
12
vulnerability VCID-ggs5-4zac-vqa7
13
vulnerability VCID-gkn8-ehfa-3ugx
14
vulnerability VCID-k9yt-aj7x-3bht
15
vulnerability VCID-menx-yu2z-xkeh
16
vulnerability VCID-tqvb-a46r-jbf8
17
vulnerability VCID-uu3m-ef36-jqg7
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
aliases CVE-2022-25146, GHSA-ghw5-998m-vw4w
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rtqu-78p2-buej
16
url VCID-vsg8-h11j-63ge
vulnerability_id VCID-vsg8-h11j-63ge
summary 
Liferay Portal and Liferay DXP fails to properly import users from LDAP
Security LDAP Implementation before 2.0.16 from Liferay Portal through v7.2.1 and Liferay DXP through v7.2 does not correctly import users from LDAP, allowing remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exists in LDAP.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-38266
reference_id
reference_type
scores
0
value 0.01851
scoring_system epss
scoring_elements 0.83353
published_at 2026-06-04T12:55:00Z
1
value 0.01851
scoring_system epss
scoring_elements 0.83377
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-38266
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/c3d1e3c7b18be0791360bb57428ea8234bcbb736
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/c3d1e3c7b18be0791360bb57428ea8234bcbb736
3
reference_url https://issues.liferay.com/browse/LPE-17191
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://issues.liferay.com/browse/LPE-17191
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38266?p_r_p_assetEntryId=121611673&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611673%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38266?p_r_p_assetEntryId=121611673&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611673%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-38266
reference_id CVE-2021-38266
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-38266
6
reference_url https://github.com/advisories/GHSA-jp3m-vh3g-6ggp
reference_id GHSA-jp3m-vh3g-6ggp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jp3m-vh3g-6ggp
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0-ga1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0-ga1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0-ga1
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-1h16-mptk-gke7
2
vulnerability VCID-266t-4gfq-duh4
3
vulnerability VCID-4mcy-yw2p-v7bd
4
vulnerability VCID-7f43-u96s-qyeq
5
vulnerability VCID-7gqd-78yq-r3be
6
vulnerability VCID-7zhe-ztqw-gkhh
7
vulnerability VCID-a7z8-2fzy-2qee
8
vulnerability VCID-a93n-jcyj-s7cb
9
vulnerability VCID-b7h9-cxkj-hkc8
10
vulnerability VCID-cj4m-mvzh-ckh4
11
vulnerability VCID-cxnv-25bg-rubj
12
vulnerability VCID-e5c7-wsvb-dyfm
13
vulnerability VCID-e5h2-wvws-3yhq
14
vulnerability VCID-ebmm-3qj1-8uec
15
vulnerability VCID-ef5k-bdxm-xfer
16
vulnerability VCID-euw1-6mk1-n3he
17
vulnerability VCID-fxtu-zgpf-cbhs
18
vulnerability VCID-ggs5-4zac-vqa7
19
vulnerability VCID-gz3a-m337-s7dn
20
vulnerability VCID-h261-uqtv-yfek
21
vulnerability VCID-hrnu-4t2j-9qba
22
vulnerability VCID-hw1d-gdcv-vkec
23
vulnerability VCID-k6d6-hyep-pbac
24
vulnerability VCID-k7yh-fkj8-t3fx
25
vulnerability VCID-k9yt-aj7x-3bht
26
vulnerability VCID-menx-yu2z-xkeh
27
vulnerability VCID-mph8-zzjv-67av
28
vulnerability VCID-n6qs-hded-rydp
29
vulnerability VCID-p4nc-ucxy-sydb
30
vulnerability VCID-p9am-1rhf-6bh2
31
vulnerability VCID-q7bs-639b-pken
32
vulnerability VCID-rtqu-78p2-buej
33
vulnerability VCID-tqvb-a46r-jbf8
34
vulnerability VCID-uu3m-ef36-jqg7
35
vulnerability VCID-uug8-ap5n-r3g2
36
vulnerability VCID-x7ny-9pvm-77eh
37
vulnerability VCID-xa5h-2khm-efgj
38
vulnerability VCID-xe2v-j69t-d3h3
39
vulnerability VCID-xwgk-d28b-rbgz
40
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
aliases CVE-2021-38266, GHSA-jp3m-vh3g-6ggp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vsg8-h11j-63ge
17
url VCID-xe2v-j69t-d3h3
vulnerability_id VCID-xe2v-j69t-d3h3
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Wiki Web before 7.0.95 from Liferay Portal (7.1.0 through 7.4.3.87), and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42628
reference_id
reference_type
scores
0
value 0.00159
scoring_system epss
scoring_elements 0.36609
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42628
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
reference_id CVE-2023-42628
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42628
reference_id CVE-2023-42628
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42628
5
reference_url https://github.com/advisories/GHSA-hv45-r2f5-fmhj
reference_id GHSA-hv45-r2f5-fmhj
reference_type
scores
url https://github.com/advisories/GHSA-hv45-r2f5-fmhj
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-7f43-u96s-qyeq
3
vulnerability VCID-8jv6-163j-a7b2
4
vulnerability VCID-9471-umbz-pucy
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-cj4m-mvzh-ckh4
7
vulnerability VCID-e5c7-wsvb-dyfm
8
vulnerability VCID-e5h2-wvws-3yhq
9
vulnerability VCID-ebmm-3qj1-8uec
10
vulnerability VCID-euw1-6mk1-n3he
11
vulnerability VCID-fxtu-zgpf-cbhs
12
vulnerability VCID-k9yt-aj7x-3bht
13
vulnerability VCID-n6qs-hded-rydp
14
vulnerability VCID-p4nc-ucxy-sydb
15
vulnerability VCID-rtqu-78p2-buej
16
vulnerability VCID-vsg8-h11j-63ge
17
vulnerability VCID-xu7c-vz69-duhp
18
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.1
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-e5h2-wvws-3yhq
2
vulnerability VCID-ebmm-3qj1-8uec
3
vulnerability VCID-euw1-6mk1-n3he
4
vulnerability VCID-fxtu-zgpf-cbhs
5
vulnerability VCID-p4nc-ucxy-sydb
6
vulnerability VCID-rtqu-78p2-buej
7
vulnerability VCID-vsg8-h11j-63ge
8
vulnerability VCID-xu7c-vz69-duhp
9
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-euw1-6mk1-n3he
3
vulnerability VCID-rtqu-78p2-buej
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34
3
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-ezpm-x3vx-zfe6
3
vulnerability VCID-tqvb-a46r-jbf8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
aliases CVE-2023-42628, GHSA-hv45-r2f5-fmhj
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xe2v-j69t-d3h3
18
url VCID-xu7c-vz69-duhp
vulnerability_id VCID-xu7c-vz69-duhp
summary 
Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS)
Liferay Layout Admin Web before 5.0.0 in Liferay Portal v7.3.6 and below and Liferay DXP v7.3 and below were discovered to contain a cross-site scripting (XSS) vulnerability via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-38265
reference_id
reference_type
scores
0
value 0.00178
scoring_system epss
scoring_elements 0.39077
published_at 2026-06-04T12:55:00Z
1
value 0.00178
scoring_system epss
scoring_elements 0.39165
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-38265
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/ac8267406785c2e70f4b15aadd604fbe7fb4451b
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/ac8267406785c2e70f4b15aadd604fbe7fb4451b
3
reference_url https://liferay.atlassian.net/browse/LPE-17229
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.atlassian.net/browse/LPE-17229
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38265-stored-xss-with-collection-name?p_r_p_assetEntryId=121611955&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611955%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38265-stored-xss-with-collection-name?p_r_p_assetEntryId=121611955&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611955%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-38265
reference_id CVE-2021-38265
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-38265
6
reference_url https://github.com/advisories/GHSA-3x83-whxw-pvmg
reference_id GHSA-3x83-whxw-pvmg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3x83-whxw-pvmg
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-1h16-mptk-gke7
2
vulnerability VCID-266t-4gfq-duh4
3
vulnerability VCID-4mcy-yw2p-v7bd
4
vulnerability VCID-7f43-u96s-qyeq
5
vulnerability VCID-7gqd-78yq-r3be
6
vulnerability VCID-7zhe-ztqw-gkhh
7
vulnerability VCID-a7z8-2fzy-2qee
8
vulnerability VCID-a93n-jcyj-s7cb
9
vulnerability VCID-b7h9-cxkj-hkc8
10
vulnerability VCID-cj4m-mvzh-ckh4
11
vulnerability VCID-cxnv-25bg-rubj
12
vulnerability VCID-e5c7-wsvb-dyfm
13
vulnerability VCID-e5h2-wvws-3yhq
14
vulnerability VCID-ebmm-3qj1-8uec
15
vulnerability VCID-ef5k-bdxm-xfer
16
vulnerability VCID-euw1-6mk1-n3he
17
vulnerability VCID-fxtu-zgpf-cbhs
18
vulnerability VCID-ggs5-4zac-vqa7
19
vulnerability VCID-gz3a-m337-s7dn
20
vulnerability VCID-h261-uqtv-yfek
21
vulnerability VCID-hrnu-4t2j-9qba
22
vulnerability VCID-hw1d-gdcv-vkec
23
vulnerability VCID-k6d6-hyep-pbac
24
vulnerability VCID-k7yh-fkj8-t3fx
25
vulnerability VCID-k9yt-aj7x-3bht
26
vulnerability VCID-menx-yu2z-xkeh
27
vulnerability VCID-mph8-zzjv-67av
28
vulnerability VCID-n6qs-hded-rydp
29
vulnerability VCID-p4nc-ucxy-sydb
30
vulnerability VCID-p9am-1rhf-6bh2
31
vulnerability VCID-q7bs-639b-pken
32
vulnerability VCID-rtqu-78p2-buej
33
vulnerability VCID-tqvb-a46r-jbf8
34
vulnerability VCID-uu3m-ef36-jqg7
35
vulnerability VCID-uug8-ap5n-r3g2
36
vulnerability VCID-x7ny-9pvm-77eh
37
vulnerability VCID-xa5h-2khm-efgj
38
vulnerability VCID-xe2v-j69t-d3h3
39
vulnerability VCID-xwgk-d28b-rbgz
40
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10
aliases CVE-2021-38265, GHSA-3x83-whxw-pvmg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xu7c-vz69-duhp
19
url VCID-zc36-wq6m-4bbn
vulnerability_id VCID-zc36-wq6m-4bbn
summary 
Liferay DXP Vulnerable to Denial-of-service (DoS) in the Multi-Factor Authentication Module
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the other user's TOTP shared secret.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29041
reference_id
reference_type
scores
0
value 0.00507
scoring_system epss
scoring_elements 0.66684
published_at 2026-06-05T12:55:00Z
1
value 0.00507
scoring_system epss
scoring_elements 0.66644
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29041
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://issues.liferay.com/browse/LPE-17131
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://issues.liferay.com/browse/LPE-17131
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29041
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29041
5
reference_url https://github.com/advisories/GHSA-82j7-2h3j-hc7f
reference_id GHSA-82j7-2h3j-hc7f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-82j7-2h3j-hc7f
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-266t-4gfq-duh4
2
vulnerability VCID-4mcy-yw2p-v7bd
3
vulnerability VCID-7gqd-78yq-r3be
4
vulnerability VCID-7zhe-ztqw-gkhh
5
vulnerability VCID-a7z8-2fzy-2qee
6
vulnerability VCID-b7h9-cxkj-hkc8
7
vulnerability VCID-c3ym-wtv5-hfhr
8
vulnerability VCID-cj4m-mvzh-ckh4
9
vulnerability VCID-cxnv-25bg-rubj
10
vulnerability VCID-e5c7-wsvb-dyfm
11
vulnerability VCID-e5h2-wvws-3yhq
12
vulnerability VCID-ebzh-bpks-5qe2
13
vulnerability VCID-ef5k-bdxm-xfer
14
vulnerability VCID-euw1-6mk1-n3he
15
vulnerability VCID-ggs5-4zac-vqa7
16
vulnerability VCID-h261-uqtv-yfek
17
vulnerability VCID-hrnu-4t2j-9qba
18
vulnerability VCID-hw1d-gdcv-vkec
19
vulnerability VCID-k6d6-hyep-pbac
20
vulnerability VCID-k7yh-fkj8-t3fx
21
vulnerability VCID-k9yt-aj7x-3bht
22
vulnerability VCID-menx-yu2z-xkeh
23
vulnerability VCID-mph8-zzjv-67av
24
vulnerability VCID-p9am-1rhf-6bh2
25
vulnerability VCID-q7bs-639b-pken
26
vulnerability VCID-rtqu-78p2-buej
27
vulnerability VCID-tqvb-a46r-jbf8
28
vulnerability VCID-uu3m-ef36-jqg7
29
vulnerability VCID-uug8-ap5n-r3g2
30
vulnerability VCID-xa5h-2khm-efgj
31
vulnerability VCID-xe2v-j69t-d3h3
32
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.fp1
aliases CVE-2021-29041, GHSA-82j7-2h3j-hc7f
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zc36-wq6m-4bbn
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.fp28