Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93

Type maven

Namespace com.liferay.portal

Name release.dxp.bom

Version 7.4.13.u93

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-27a1-teqk-cbe2

vulnerability_id VCID-27a1-teqk-cbe2

summary

Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43776

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.13928
published_at	2026-06-05T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13811
published_at	2026-06-08T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13895
published_at	2026-06-07T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13932
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43776

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://liferay.atlassian.net/browse/LPE-18277

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://liferay.atlassian.net/browse/LPE-18277

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43776

reference_id

CVE-2025-43776

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T15:04:48Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43776

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43776

reference_id

CVE-2025-43776

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43776

reference_url	https://github.com/advisories/GHSA-rcc7-jx7p-hrv4
reference_id	GHSA-rcc7-jx7p-hrv4
reference_type
scores
url	https://github.com/advisories/GHSA-rcc7-jx7p-hrv4

fixed_packages

url	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93

url	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20
purl	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20

url	pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17
purl	pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17

url	pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10
purl	pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10

aliases CVE-2025-43776, GHSA-rcc7-jx7p-hrv4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-27a1-teqk-cbe2

url VCID-ebzh-bpks-5qe2

vulnerability_id VCID-ebzh-bpks-5qe2

summary

Liferay Cross-site Scripting vulnerability
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-3760

reference_id

reference_type

scores

value	0.00157
scoring_system	epss
scoring_elements	0.363
published_at	2026-06-05T12:55:00Z

value	0.00157
scoring_system	epss
scoring_elements	0.36235
published_at	2026-06-08T12:55:00Z

value	0.00157
scoring_system	epss
scoring_elements	0.36271
published_at	2026-06-07T12:55:00Z

value	0.00157
scoring_system	epss
scoring_elements	0.36309
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-3760

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760

reference_id

CVE-2025-3760

reference_type

scores

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-17T13:22:03Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-3760

reference_id

CVE-2025-3760

reference_type

scores

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-3760

reference_url	https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
reference_id	GHSA-qhp6-vp7c-g7xp
reference_type
scores
url	https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

fixed_packages

url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1

purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cj4m-mvzh-ckh4

vulnerability	VCID-e5h2-wvws-3yhq

vulnerability	VCID-ebmm-3qj1-8uec

vulnerability	VCID-euw1-6mk1-n3he

vulnerability	VCID-fxtu-zgpf-cbhs

vulnerability	VCID-p4nc-ucxy-sydb

vulnerability	VCID-rtqu-78p2-buej

vulnerability	VCID-vsg8-h11j-63ge

vulnerability	VCID-xu7c-vz69-duhp

vulnerability	VCID-zc36-wq6m-4bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.1

url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2

purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cj4m-mvzh-ckh4

vulnerability	VCID-euw1-6mk1-n3he

vulnerability	VCID-rtqu-78p2-buej

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2

url	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93

url	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
purl	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13

url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13

purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27a1-teqk-cbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13

url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0

purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27a1-teqk-cbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0

url	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
purl	pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10

url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10

purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27a1-teqk-cbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10

url pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0

purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27a1-teqk-cbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0

url pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0

purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-27a1-teqk-cbe2

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0

aliases CVE-2025-3760, GHSA-qhp6-vp7c-g7xp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebzh-bpks-5qe2

url VCID-tqvb-a46r-jbf8

vulnerability_id VCID-tqvb-a46r-jbf8

summary

Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module before 4.0.35 from Liferay Portal (7.3.5 through 7.4.3.91), and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-42627

reference_id

reference_type

scores

value	0.00208
scoring_system	epss
scoring_elements	0.4326
published_at	2026-06-05T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43211
published_at	2026-06-08T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43245
published_at	2026-06-07T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43268
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-42627

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627

reference_id

CVE-2023-42627

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-02T19:36:13Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-42627

reference_id

CVE-2023-42627

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-42627

reference_url

https://github.com/advisories/GHSA-qp68-5v39-r869

reference_id

GHSA-qp68-5v39-r869

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qp68-5v39-r869

reference_url

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

reference_id

stored-cross-site-scripting-vulnerabilities-in-liferay-portal

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-02T19:36:13Z/

url

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

fixed_packages

url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34

purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cj4m-mvzh-ckh4

vulnerability	VCID-ebzh-bpks-5qe2

vulnerability	VCID-euw1-6mk1-n3he

vulnerability	VCID-rtqu-78p2-buej

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u34

url	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl	pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93

aliases CVE-2023-42627, GHSA-qp68-5v39-r869

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tqvb-a46r-jbf8

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93

Package Instance