Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u38
Typemaven
Namespacecom.liferay.portal
Namerelease.dxp.bom
Version7.4.13.u38
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.4.13.u93
Latest_non_vulnerable_version7.4.13.u93
Affected_by_vulnerabilities
0
url VCID-27a1-teqk-cbe2
vulnerability_id VCID-27a1-teqk-cbe2
summary 
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-43776
reference_id
reference_type
scores
0
value 0.00044
scoring_system epss
scoring_elements 0.13928
published_at 2026-06-05T12:55:00Z
1
value 0.00044
scoring_system epss
scoring_elements 0.13932
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-43776
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.atlassian.net/browse/LPE-18277
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.atlassian.net/browse/LPE-18277
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43776
reference_id CVE-2025-43776
reference_type
scores
0
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T15:04:48Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43776
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-43776
reference_id CVE-2025-43776
reference_type
scores
0
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-43776
5
reference_url https://github.com/advisories/GHSA-rcc7-jx7p-hrv4
reference_id GHSA-rcc7-jx7p-hrv4
reference_type
scores
url https://github.com/advisories/GHSA-rcc7-jx7p-hrv4
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
1
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.20
2
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.17
3
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q2.10
aliases CVE-2025-43776, GHSA-rcc7-jx7p-hrv4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-27a1-teqk-cbe2
1
url VCID-42k1-vb9z-3qe7
vulnerability_id VCID-42k1-vb9z-3qe7
summary 
Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page before 2.0.86 from Liferay Portal (7.4.3.4 through 7.4.3.85), and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42497
reference_id
reference_type
scores
0
value 0.00192
scoring_system epss
scoring_elements 0.40968
published_at 2026-06-05T12:55:00Z
1
value 0.00192
scoring_system epss
scoring_elements 0.40972
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42497
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497?p_r_p_assetEntryId=122124913&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D122124913%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497?p_r_p_assetEntryId=122124913&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D122124913%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497
reference_id cve-2023-42497
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T16:32:09Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42497
reference_id CVE-2023-42497
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42497
5
reference_url https://github.com/advisories/GHSA-w2g3-j73q-7qv7
reference_id GHSA-w2g3-j73q-7qv7
reference_type
scores
url https://github.com/advisories/GHSA-w2g3-j73q-7qv7
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u86
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u86
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-9hvg-h2ra-nbcc
2
vulnerability VCID-e5h2-wvws-3yhq
3
vulnerability VCID-ebzh-bpks-5qe2
4
vulnerability VCID-ezpm-x3vx-zfe6
5
vulnerability VCID-tqvb-a46r-jbf8
6
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u86
aliases CVE-2023-42497, GHSA-w2g3-j73q-7qv7
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-42k1-vb9z-3qe7
2
url VCID-9hvg-h2ra-nbcc
vulnerability_id VCID-9hvg-h2ra-nbcc
summary 
Liferay Portal and Liferay DXP Vulnerable to Stored XSS in the Manage Vocabulary Page
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in the Asset Categories Admin Web module before 5.0.87 from Liferay Portal (7.4.2 through 7.4.3.87), and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42629
reference_id
reference_type
scores
0
value 0.00208
scoring_system epss
scoring_elements 0.4326
published_at 2026-06-05T12:55:00Z
1
value 0.00208
scoring_system epss
scoring_elements 0.43268
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42629
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/2e02110747dd5cccb978623545bfa1f3ad0a5602
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/2e02110747dd5cccb978623545bfa1f3ad0a5602
3
reference_url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629
reference_id CVE-2023-42629
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42629
reference_id CVE-2023-42629
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42629
6
reference_url https://github.com/advisories/GHSA-g44j-f8wm-6622
reference_id GHSA-g44j-f8wm-6622
reference_type
scores
url https://github.com/advisories/GHSA-g44j-f8wm-6622
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-ezpm-x3vx-zfe6
3
vulnerability VCID-tqvb-a46r-jbf8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
aliases CVE-2023-42629, GHSA-g44j-f8wm-6622
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hvg-h2ra-nbcc
3
url VCID-c3ym-wtv5-hfhr
vulnerability_id VCID-c3ym-wtv5-hfhr
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu
Stored cross-site scripting (XSS) vulnerability in Page Tree menu in Liferay Layout Implementation before 6.0.102 from Liferay Portal (7.3.6 through 7.4.3.78), and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-44310
reference_id
reference_type
scores
0
value 0.00199
scoring_system epss
scoring_elements 0.41958
published_at 2026-06-05T12:55:00Z
1
value 0.00199
scoring_system epss
scoring_elements 0.41969
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-44310
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/45931175b6ae14df089f0304f86b5b0f66ac3c02
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/45931175b6ae14df089f0304f86b5b0f66ac3c02
3
reference_url https://liferay.atlassian.net/browse/LPE-17725
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.atlassian.net/browse/LPE-17725
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310?p_r_p_assetEntryId=122124880&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D122124880%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310?p_r_p_assetEntryId=122124880&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D122124880%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
5
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310
reference_id cve-2023-44310
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T16:31:02Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-44310
reference_id CVE-2023-44310
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-44310
7
reference_url https://github.com/advisories/GHSA-j5gv-w838-mmcx
reference_id GHSA-j5gv-w838-mmcx
reference_type
scores
url https://github.com/advisories/GHSA-j5gv-w838-mmcx
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u79
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u79
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-e5h2-wvws-3yhq
4
vulnerability VCID-ebzh-bpks-5qe2
5
vulnerability VCID-ezpm-x3vx-zfe6
6
vulnerability VCID-tqvb-a46r-jbf8
7
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u79
aliases CVE-2023-44310, GHSA-j5gv-w838-mmcx
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c3ym-wtv5-hfhr
4
url VCID-cj4m-mvzh-ckh4
vulnerability_id VCID-cj4m-mvzh-ckh4
summary 
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
reference_id
reference_type
scores
0
value 0.00175
scoring_system epss
scoring_elements 0.38799
published_at 2026-06-06T12:55:00Z
1
value 0.00175
scoring_system epss
scoring_elements 0.38795
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-17T21:24:48Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
4
reference_url https://github.com/advisories/GHSA-4hxr-28mv-q729
reference_id GHSA-4hxr-28mv-q729
reference_type
scores
url https://github.com/advisories/GHSA-4hxr-28mv-q729
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-gkn8-ehfa-3ugx
7
vulnerability VCID-tqvb-a46r-jbf8
8
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
aliases CVE-2024-11993, GHSA-4hxr-28mv-q729
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cj4m-mvzh-ckh4
5
url VCID-e5h2-wvws-3yhq
vulnerability_id VCID-e5h2-wvws-3yhq
summary 
Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37940
reference_id
reference_type
scores
0
value 0.00175
scoring_system epss
scoring_elements 0.38795
published_at 2026-06-05T12:55:00Z
1
value 0.00175
scoring_system epss
scoring_elements 0.38799
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37940
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940
reference_id CVE-2023-37940
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-17T21:41:20Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37940
reference_id CVE-2023-37940
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37940
4
reference_url https://github.com/advisories/GHSA-px38-239g-x5mg
reference_id GHSA-px38-239g-x5mg
reference_type
scores
url https://github.com/advisories/GHSA-px38-239g-x5mg
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-ezpm-x3vx-zfe6
3
vulnerability VCID-tqvb-a46r-jbf8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
aliases CVE-2023-37940, GHSA-px38-239g-x5mg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e5h2-wvws-3yhq
6
url VCID-ebzh-bpks-5qe2
vulnerability_id VCID-ebzh-bpks-5qe2
summary 
Liferay Cross-site Scripting vulnerability
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-3760
reference_id
reference_type
scores
0
value 0.00157
scoring_system epss
scoring_elements 0.363
published_at 2026-06-05T12:55:00Z
1
value 0.00157
scoring_system epss
scoring_elements 0.36309
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-3760
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760
reference_id CVE-2025-3760
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-17T13:22:03Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3760
reference_id CVE-2025-3760
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3760
4
reference_url https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
reference_id GHSA-qhp6-vp7c-g7xp
reference_type
scores
url https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
1
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
2
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
3
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
4
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
5
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
6
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
7
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
aliases CVE-2025-3760, GHSA-qhp6-vp7c-g7xp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebzh-bpks-5qe2
7
url VCID-gkn8-ehfa-3ugx
vulnerability_id VCID-gkn8-ehfa-3ugx
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS in the Fragment Components
Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components before 3.0.25 from Liferay Portal (7.4.2 through 7.4.3.53), and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-44309
reference_id
reference_type
scores
0
value 0.00199
scoring_system epss
scoring_elements 0.41958
published_at 2026-06-05T12:55:00Z
1
value 0.00199
scoring_system epss
scoring_elements 0.41969
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-44309
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://github.com/liferay/liferay-portal/commit/1287c68486d60b87179995d8b8bd530031300a47
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/1287c68486d60b87179995d8b8bd530031300a47
3
reference_url https://github.com/liferay/liferay-portal/commit/28f8a7aabccce45e9d60cfb0cf63fc53c99b0d26
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/28f8a7aabccce45e9d60cfb0cf63fc53c99b0d26
4
reference_url https://github.com/liferay/liferay-portal/commit/9031a7a03e5891e7ccf762011fe8bcc2e433b1db
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/9031a7a03e5891e7ccf762011fe8bcc2e433b1db
5
reference_url https://github.com/liferay/liferay-portal/commit/ba628735cfae8656ab4243ecffce260413ed2460
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/ba628735cfae8656ab4243ecffce260413ed2460
6
reference_url https://github.com/liferay/liferay-portal/commit/d70fecd2c5709d8dd5f4992b408a640ce912001b
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/d70fecd2c5709d8dd5f4992b408a640ce912001b
7
reference_url https://github.com/liferay/liferay-portal/commit/e45bf2d00ed7f95f02702a1da3e4115ab30b1bff
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/e45bf2d00ed7f95f02702a1da3e4115ab30b1bff
8
reference_url https://github.com/liferay/liferay-portal/commit/ed856dd9e2947e3e660d7cfbdb8c604b296db790
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/ed856dd9e2947e3e660d7cfbdb8c604b296db790
9
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309
reference_id CVE-2023-44309
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-13T16:31:32Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-44309
reference_id CVE-2023-44309
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-44309
11
reference_url https://github.com/advisories/GHSA-j663-6jpj-xx8c
reference_id GHSA-j663-6jpj-xx8c
reference_type
scores
url https://github.com/advisories/GHSA-j663-6jpj-xx8c
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u54
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u54
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-ezpm-x3vx-zfe6
7
vulnerability VCID-tqvb-a46r-jbf8
8
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u54
aliases CVE-2023-44309, GHSA-j663-6jpj-xx8c
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gkn8-ehfa-3ugx
8
url VCID-tqvb-a46r-jbf8
vulnerability_id VCID-tqvb-a46r-jbf8
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module
Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module before 4.0.35 from Liferay Portal (7.3.5 through 7.4.3.91), and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42627
reference_id
reference_type
scores
0
value 0.00208
scoring_system epss
scoring_elements 0.4326
published_at 2026-06-05T12:55:00Z
1
value 0.00208
scoring_system epss
scoring_elements 0.43268
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42627
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627
reference_id CVE-2023-42627
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-02T19:36:13Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42627
reference_id CVE-2023-42627
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42627
5
reference_url https://github.com/advisories/GHSA-qp68-5v39-r869
reference_id GHSA-qp68-5v39-r869
reference_type
scores
url https://github.com/advisories/GHSA-qp68-5v39-r869
6
reference_url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/
reference_id stored-cross-site-scripting-vulnerabilities-in-liferay-portal
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-02T19:36:13Z/
url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
aliases CVE-2023-42627, GHSA-qp68-5v39-r869
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tqvb-a46r-jbf8
9
url VCID-xe2v-j69t-d3h3
vulnerability_id VCID-xe2v-j69t-d3h3
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Wiki Web before 7.0.95 from Liferay Portal (7.1.0 through 7.4.3.87), and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42628
reference_id
reference_type
scores
0
value 0.00159
scoring_system epss
scoring_elements 0.36609
published_at 2026-06-05T12:55:00Z
1
value 0.00159
scoring_system epss
scoring_elements 0.36618
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42628
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal
3
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
reference_id CVE-2023-42628
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42628
reference_id CVE-2023-42628
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42628
5
reference_url https://github.com/advisories/GHSA-hv45-r2f5-fmhj
reference_id GHSA-hv45-r2f5-fmhj
reference_type
scores
url https://github.com/advisories/GHSA-hv45-r2f5-fmhj
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-ezpm-x3vx-zfe6
3
vulnerability VCID-tqvb-a46r-jbf8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u88
aliases CVE-2023-42628, GHSA-hv45-r2f5-fmhj
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xe2v-j69t-d3h3
Fixing_vulnerabilities
0
url VCID-qks2-mqk8-wffq
vulnerability_id VCID-qks2-mqk8-wffq
summary 
Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26269
reference_id
reference_type
scores
0
value 0.00147
scoring_system epss
scoring_elements 0.34843
published_at 2026-06-06T12:55:00Z
1
value 0.00147
scoring_system epss
scoring_elements 0.34827
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26269
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269
reference_id CVE-2024-26269
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T16:16:54Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26269
reference_id CVE-2024-26269
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26269
4
reference_url https://github.com/advisories/GHSA-rwhv-hvj2-qrqm
reference_id GHSA-rwhv-hvj2-qrqm
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rwhv-hvj2-qrqm
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-e5h2-wvws-3yhq
2
vulnerability VCID-ebmm-3qj1-8uec
3
vulnerability VCID-ebzh-bpks-5qe2
4
vulnerability VCID-euw1-6mk1-n3he
5
vulnerability VCID-fxtu-zgpf-cbhs
6
vulnerability VCID-p4nc-ucxy-sydb
7
vulnerability VCID-rtqu-78p2-buej
8
vulnerability VCID-vsg8-h11j-63ge
9
vulnerability VCID-xe2v-j69t-d3h3
10
vulnerability VCID-xu7c-vz69-duhp
11
vulnerability VCID-zc36-wq6m-4bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp20
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u11
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-e5h2-wvws-3yhq
2
vulnerability VCID-ebzh-bpks-5qe2
3
vulnerability VCID-euw1-6mk1-n3he
4
vulnerability VCID-rtqu-78p2-buej
5
vulnerability VCID-tqvb-a46r-jbf8
6
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u11
2
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u38
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-cj4m-mvzh-ckh4
5
vulnerability VCID-e5h2-wvws-3yhq
6
vulnerability VCID-ebzh-bpks-5qe2
7
vulnerability VCID-gkn8-ehfa-3ugx
8
vulnerability VCID-tqvb-a46r-jbf8
9
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u38
aliases CVE-2024-26269, GHSA-rwhv-hvj2-qrqm
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qks2-mqk8-wffq
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u38