Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68816?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "type": "maven", "namespace": "com.liferay.portal", "name": "release.dxp.bom", "version": "7.3.10.u4", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "7.3.10.u5", "latest_non_vulnerable_version": "2025.Q2.10", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47059?format=api", "vulnerability_id": "VCID-266t-4gfq-duh4", "summary": "Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel\nInformation disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150", "reference_id": "CVE-2024-25150", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25150", "reference_id": "CVE-2024-25150", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25150" }, { "reference_url": "https://github.com/advisories/GHSA-4585-28v2-8h46", "reference_id": "GHSA-4585-28v2-8h46", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4585-28v2-8h46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68831?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25150", "GHSA-4585-28v2-8h46" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-266t-4gfq-duh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47045?format=api", "vulnerability_id": "VCID-38vz-usgx-g7dv", "summary": "Liferay Portal defaults to a low work factor for the default password hashing algorithm\nThe default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607", "reference_id": "CVE-2024-25607", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25607", "reference_id": "CVE-2024-25607", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25607" }, { "reference_url": "https://github.com/advisories/GHSA-43h9-p3j4-39hm", "reference_id": "GHSA-43h9-p3j4-39hm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-43h9-p3j4-39hm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69054?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u16" } ], "aliases": [ "CVE-2024-25607", "GHSA-43h9-p3j4-39hm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-38vz-usgx-g7dv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47091?format=api", "vulnerability_id": "VCID-4mcy-yw2p-v7bd", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601", "reference_id": "CVE-2024-25601", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25601", "reference_id": "CVE-2024-25601", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25601" }, { "reference_url": "https://github.com/advisories/GHSA-cr36-3vqf-x5w5", "reference_id": "GHSA-cr36-3vqf-x5w5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cr36-3vqf-x5w5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25601", "GHSA-cr36-3vqf-x5w5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4mcy-yw2p-v7bd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110137?format=api", "vulnerability_id": "VCID-7gqd-78yq-r3be", "summary": "Liferay Portal and Liferay DXP Vulnerable to XSS via the Sharing Module\nA Cross-site scripting (XSS) vulnerability in the Sharing module's user notification before 3.0.9 from Liferay Portal (7.2.1 through 7.4.2), and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42111", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38651", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42111" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/0307ce50253f03203e613534ea03061b0b38caf0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/0307ce50253f03203e613534ea03061b0b38caf0" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/4dec737577cfa2d7dd857bf9b4a4ffb5fc02dcc7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/4dec737577cfa2d7dd857bf9b4a4ffb5fc02dcc7" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/5a0d16269d0a2e1b370ad8c38ee4d11f34476af5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/5a0d16269d0a2e1b370ad8c38ee4d11f34476af5" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9d53dd83c80833c318f80b7116c441cf005cc781", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9d53dd83c80833c318f80b7116c441cf005cc781" }, { "reference_url": "https://issues.liferay.com/browse/LPE-17379", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.liferay.com/browse/LPE-17379" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42111?p_r_p_assetEntryId=121612900&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612900%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42111?p_r_p_assetEntryId=121612900&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612900%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42111", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42111" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68831?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2022-42111", "GHSA-p768-r2m2-8vjr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7gqd-78yq-r3be" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46965?format=api", "vulnerability_id": "VCID-a7z8-2fzy-2qee", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145", "reference_id": "CVE-2024-25145", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25145", "reference_id": "CVE-2024-25145", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25145" }, { "reference_url": "https://github.com/advisories/GHSA-9vgq-w5pv-v77q", "reference_id": "GHSA-9vgq-w5pv-v77q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9vgq-w5pv-v77q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/68817?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.13u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.13u8" } ], "aliases": [ "CVE-2024-25145", "GHSA-9vgq-w5pv-v77q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a7z8-2fzy-2qee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47075?format=api", "vulnerability_id": "VCID-b7h9-cxkj-hkc8", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152", "reference_id": "CVE-2024-25152", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25152", "reference_id": "CVE-2024-25152", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25152" }, { "reference_url": "https://github.com/advisories/GHSA-p28x-4r5h-ph6j", "reference_id": "GHSA-p28x-4r5h-ph6j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p28x-4r5h-ph6j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25152", "GHSA-p28x-4r5h-ph6j" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b7h9-cxkj-hkc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47080?format=api", "vulnerability_id": "VCID-h261-uqtv-yfek", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602", "reference_id": "CVE-2024-25602", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25602", "reference_id": "CVE-2024-25602", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25602" }, { "reference_url": "https://github.com/advisories/GHSA-v2xq-m22w-jmpr", "reference_id": "GHSA-v2xq-m22w-jmpr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v2xq-m22w-jmpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25602", "GHSA-v2xq-m22w-jmpr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h261-uqtv-yfek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47049?format=api", "vulnerability_id": "VCID-hhmu-vsj9-gudx", "summary": "Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)\nIn Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610", "reference_id": "CVE-2024-25610", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25610", "reference_id": "CVE-2024-25610", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25610" }, { "reference_url": "https://github.com/advisories/GHSA-vvpf-53qx-cxhh", "reference_id": "GHSA-vvpf-53qx-cxhh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vvpf-53qx-cxhh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68831?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69035?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u9" } ], "aliases": [ "CVE-2024-25610", "GHSA-vvpf-53qx-cxhh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhmu-vsj9-gudx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47078?format=api", "vulnerability_id": "VCID-hrnu-4t2j-9qba", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147", "reference_id": "CVE-2024-25147", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25147", "reference_id": "CVE-2024-25147", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25147" }, { "reference_url": "https://github.com/advisories/GHSA-xpjg-7hx7-wgcx", "reference_id": "GHSA-xpjg-7hx7-wgcx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xpjg-7hx7-wgcx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68843?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yw4-52sc-rbbz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25147", "GHSA-xpjg-7hx7-wgcx" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hrnu-4t2j-9qba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46974?format=api", "vulnerability_id": "VCID-hw1d-gdcv-vkec", "summary": "Liferay Portal vulnerable to user impersonation\nIn Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148", "reference_id": "CVE-2024-25148", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25148", "reference_id": "CVE-2024-25148", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25148" }, { "reference_url": "https://github.com/advisories/GHSA-qwj8-qgpr-8crm", "reference_id": "GHSA-qwj8-qgpr-8crm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qwj8-qgpr-8crm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68843?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yw4-52sc-rbbz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25148", "GHSA-qwj8-qgpr-8crm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hw1d-gdcv-vkec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110105?format=api", "vulnerability_id": "VCID-j127-h1mf-nqam", "summary": "Liferay Portal and Liferay DXP Vulnerable to SQL Injection via Friendly URL Module\nA SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.", "references": [ { "reference_url": "http://liferay.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://liferay.com" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42122", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74644", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42122" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://issues.liferay.com/browse/LPE-17520", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.liferay.com/browse/LPE-17520" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42122?p_r_p_assetEntryId=121613466&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121613466%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42122?p_r_p_assetEntryId=121613466&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121613466%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42122", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42122" }, { "reference_url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122" }, { "reference_url": "https://web.archive.org/web/20221115051621/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20221115051621/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2022-42122", "GHSA-hw56-7xj4-7gx6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j127-h1mf-nqam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110228?format=api", "vulnerability_id": "VCID-k1u8-ur3y-zucd", "summary": "Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL\nThe Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.", "references": [ { "reference_url": "http://liferay.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://liferay.com" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42132", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.5606", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42132" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/4a53b64fb714c7ff989b99ddccc3de116095453d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/4a53b64fb714c7ff989b99ddccc3de116095453d" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/b6cff511119d71dea38f5485761730f4fb5d4430", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/b6cff511119d71dea38f5485761730f4fb5d4430" }, { "reference_url": "https://issues.liferay.com/browse/LPE-17438", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.liferay.com/browse/LPE-17438" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42132?p_r_p_assetEntryId=121613918&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121613918%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42132?p_r_p_assetEntryId=121613918&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121613918%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42132", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42132" }, { "reference_url": "https://web.archive.org/web/20221020134303/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20221020134303/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148567?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.fp27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.1.10.fp27" }, { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2022-42132", "GHSA-f43m-hhj4-q3jg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k1u8-ur3y-zucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47065?format=api", "vulnerability_id": "VCID-k9yt-aj7x-3bht", "summary": "Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character\nHtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6ae" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608", "reference_id": "CVE-2024-25608", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25608", "reference_id": "CVE-2024-25608", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25608" }, { "reference_url": "https://github.com/advisories/GHSA-548x-j6x6-hcv4", "reference_id": "GHSA-548x-j6x6-hcv4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-548x-j6x6-hcv4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68831?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp19" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69056?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u19" } ], "aliases": [ "CVE-2024-25608", "GHSA-548x-j6x6-hcv4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k9yt-aj7x-3bht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46977?format=api", "vulnerability_id": "VCID-p9am-1rhf-6bh2", "summary": "Observable Response Discrepancy\nLiferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146", "reference_id": "CVE-2024-25146", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25146", "reference_id": "CVE-2024-25146", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25146" }, { "reference_url": "https://github.com/advisories/GHSA-mqf8-4cqm-p83x", "reference_id": "GHSA-mqf8-4cqm-p83x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mqf8-4cqm-p83x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68836?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yw4-52sc-rbbz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp18" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25146", "GHSA-mqf8-4cqm-p83x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9am-1rhf-6bh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47093?format=api", "vulnerability_id": "VCID-pczz-39pz-37bb", "summary": "Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting\nStored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603", "reference_id": "CVE-2024-25603", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25603", "reference_id": "CVE-2024-25603", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25603" }, { "reference_url": "https://github.com/advisories/GHSA-44jg-jgjx-3xg5", "reference_id": "GHSA-44jg-jgjx-3xg5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-44jg-jgjx-3xg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25603", "GHSA-44jg-jgjx-3xg5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pczz-39pz-37bb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110261?format=api", "vulnerability_id": "VCID-uu3m-ef36-jqg7", "summary": "Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Fragment Module\nA SQL injection vulnerability in the Fragment module before 4.0.33 from Liferay Portal (7.3.3 through 7.4.3.16), and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.", "references": [ { "reference_url": "http://liferay.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://liferay.com" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42120", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74644", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42120" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/6f94d203f5a194a64055e1e0ba0224d26ec54e47", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/6f94d203f5a194a64055e1e0ba0224d26ec54e47" }, { "reference_url": "https://issues.liferay.com/browse/LPE-17513", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.liferay.com/browse/LPE-17513" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42120", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42120" }, { "reference_url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120" }, { "reference_url": "https://web.archive.org/web/20220801000000*/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20220801000000*/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/145099?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u17" } ], "aliases": [ "CVE-2022-42120", "GHSA-r5fj-j449-vqw2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uu3m-ef36-jqg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47088?format=api", "vulnerability_id": "VCID-xuaz-p5q4-8beh", "summary": "Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing\nThe Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151", "reference_id": "CVE-2024-25151", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25151" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25151", "reference_id": "CVE-2024-25151", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25151" }, { "reference_url": "https://github.com/advisories/GHSA-hgr6-6hhw-883f", "reference_id": "GHSA-hgr6-6hhw-883f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hgr6-6hhw-883f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68843?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yw4-52sc-rbbz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" } ], "aliases": [ "CVE-2024-25151", "GHSA-hgr6-6hhw-883f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xuaz-p5q4-8beh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47085?format=api", "vulnerability_id": "VCID-ydhb-8z5m-v7fb", "summary": "Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting\nMultiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget.", "references": [ { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266", "reference_id": "CVE-2024-26266", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26266", "reference_id": "CVE-2024-26266", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26266" }, { "reference_url": "https://github.com/advisories/GHSA-rwxc-4cmw-7x75", "reference_id": "GHSA-rwxc-4cmw-7x75", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rwxc-4cmw-7x75" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68818?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68816?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69085?format=api", "purl": "pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u10" } ], "aliases": [ "CVE-2024-26266", "GHSA-rwxc-4cmw-7x75" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhb-8z5m-v7fb" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4" }