Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
Typemaven
Namespacecom.liferay.portal
Namerelease.dxp.bom
Version7.3.10.u36
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.4.13.u93
Latest_non_vulnerable_version7.4.13.u93
Affected_by_vulnerabilities
0
url VCID-cj4m-mvzh-ckh4
vulnerability_id VCID-cj4m-mvzh-ckh4
summary 
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
reference_id
reference_type
scores
0
value 0.00175
scoring_system epss
scoring_elements 0.38772
published_at 2026-06-07T12:55:00Z
1
value 0.00175
scoring_system epss
scoring_elements 0.38799
published_at 2026-06-06T12:55:00Z
2
value 0.00175
scoring_system epss
scoring_elements 0.38795
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-11993
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-17T21:24:48Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
reference_id CVE-2024-11993
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 4.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11993
4
reference_url https://github.com/advisories/GHSA-4hxr-28mv-q729
reference_id GHSA-4hxr-28mv-q729
reference_type
scores
url https://github.com/advisories/GHSA-4hxr-28mv-q729
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-42k1-vb9z-3qe7
2
vulnerability VCID-9hvg-h2ra-nbcc
3
vulnerability VCID-c3ym-wtv5-hfhr
4
vulnerability VCID-e5h2-wvws-3yhq
5
vulnerability VCID-ebzh-bpks-5qe2
6
vulnerability VCID-gkn8-ehfa-3ugx
7
vulnerability VCID-tqvb-a46r-jbf8
8
vulnerability VCID-xe2v-j69t-d3h3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u39
aliases CVE-2024-11993, GHSA-4hxr-28mv-q729
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cj4m-mvzh-ckh4
1
url VCID-ebzh-bpks-5qe2
vulnerability_id VCID-ebzh-bpks-5qe2
summary 
Liferay Cross-site Scripting vulnerability
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-3760
reference_id
reference_type
scores
0
value 0.00157
scoring_system epss
scoring_elements 0.363
published_at 2026-06-05T12:55:00Z
1
value 0.00157
scoring_system epss
scoring_elements 0.36271
published_at 2026-06-07T12:55:00Z
2
value 0.00157
scoring_system epss
scoring_elements 0.36309
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-3760
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760
reference_id CVE-2025-3760
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-17T13:22:03Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3760
reference_id CVE-2025-3760
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3760
4
reference_url https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
reference_id GHSA-qhp6-vp7c-g7xp
reference_type
scores
url https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-euw1-6mk1-n3he
2
vulnerability VCID-rtqu-78p2-buej
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.0-2
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u93
2
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q1.13
3
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q1.13
4
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.0
5
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.Q3.10
6
url pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
purl pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2024.q3.10
7
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.Q1.0
8
url pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
purl pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2025.q1.0
aliases CVE-2025-3760, GHSA-qhp6-vp7c-g7xp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebzh-bpks-5qe2
2
url VCID-euw1-6mk1-n3he
vulnerability_id VCID-euw1-6mk1-n3he
summary 
Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Fragment Renderer Collection Filter Implementation before v1.0.11 from Liferay Portal (v7.4.3.4) and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T17:48:12Z/
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-28980
reference_id
reference_type
scores
0
value 0.00247
scoring_system epss
scoring_elements 0.48251
published_at 2026-06-05T12:55:00Z
1
value 0.00247
scoring_system epss
scoring_elements 0.48235
published_at 2026-06-07T12:55:00Z
2
value 0.00247
scoring_system epss
scoring_elements 0.48188
published_at 2026-06-04T12:55:00Z
3
value 0.00247
scoring_system epss
scoring_elements 0.48255
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-28980
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://github.com/liferay/liferay-portal/commit/b4ea3e9acb6c3602b9c90538ba35f11906dc07ed
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/b4ea3e9acb6c3602b9c90538ba35f11906dc07ed
4
reference_url https://liferay.atlassian.net/browse/LPE-17420
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.atlassian.net/browse/LPE-17420
5
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28980-reflected-xss-with-filter_-parameters-in-applied-fragment-filters?p_r_p_assetEntryId=121612438&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612438%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28980-reflected-xss-with-filter_-parameters-in-applied-fragment-filters?p_r_p_assetEntryId=121612438&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612438%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-28980
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-28980
7
reference_url https://web.archive.org/web/20221114081624/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20221114081624/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_*-parameters-in-applied-fragment-filters
8
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
reference_id cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T17:48:12Z/
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters
9
reference_url https://github.com/advisories/GHSA-8mp9-w7gr-pvj3
reference_id GHSA-8mp9-w7gr-pvj3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8mp9-w7gr-pvj3
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.3.5-ga5
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-9yw4-52sc-rbbz
5
vulnerability VCID-c3ym-wtv5-hfhr
6
vulnerability VCID-cj4m-mvzh-ckh4
7
vulnerability VCID-d8m3-apv8-zfe1
8
vulnerability VCID-e5c7-wsvb-dyfm
9
vulnerability VCID-e5h2-wvws-3yhq
10
vulnerability VCID-ef5k-bdxm-xfer
11
vulnerability VCID-ggs5-4zac-vqa7
12
vulnerability VCID-gkn8-ehfa-3ugx
13
vulnerability VCID-k9yt-aj7x-3bht
14
vulnerability VCID-menx-yu2z-xkeh
15
vulnerability VCID-rtqu-78p2-buej
16
vulnerability VCID-tqvb-a46r-jbf8
17
vulnerability VCID-uu3m-ef36-jqg7
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xn1n-5rgc-83bg
20
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.10.ep1
aliases CVE-2022-28980, GHSA-8mp9-w7gr-pvj3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-euw1-6mk1-n3he
3
url VCID-rtqu-78p2-buej
vulnerability_id VCID-rtqu-78p2-buej
summary 
Liferay Portal and Liferay DXP fails to check origin of event messages
The Remote App module before 2.0.21 from Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
references
0
reference_url http://liferay.com
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://liferay.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-25146
reference_id
reference_type
scores
0
value 0.0014
scoring_system epss
scoring_elements 0.33849
published_at 2026-06-06T12:55:00Z
1
value 0.0014
scoring_system epss
scoring_elements 0.33833
published_at 2026-06-05T12:55:00Z
2
value 0.0014
scoring_system epss
scoring_elements 0.33727
published_at 2026-06-04T12:55:00Z
3
value 0.0014
scoring_system epss
scoring_elements 0.33815
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-25146
2
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
3
reference_url https://github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276b
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276b
4
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps?p_r_p_assetEntryId=121612000&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612000%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps?p_r_p_assetEntryId=121612000&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612000%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-25146
reference_id CVE-2022-25146
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-25146
6
reference_url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps
reference_id CVE-2022-25146-CSRF-TOKEN-EXFILTRATION-VIA-REMOTE-APPS
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps
7
reference_url https://github.com/advisories/GHSA-ghw5-998m-vw4w
reference_id GHSA-ghw5-998m-vw4w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ghw5-998m-vw4w
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fqz-psdf-g7dm
1
vulnerability VCID-27a1-teqk-cbe2
2
vulnerability VCID-42k1-vb9z-3qe7
3
vulnerability VCID-9hvg-h2ra-nbcc
4
vulnerability VCID-9yw4-52sc-rbbz
5
vulnerability VCID-c3ym-wtv5-hfhr
6
vulnerability VCID-cj4m-mvzh-ckh4
7
vulnerability VCID-d8m3-apv8-zfe1
8
vulnerability VCID-e5c7-wsvb-dyfm
9
vulnerability VCID-e5h2-wvws-3yhq
10
vulnerability VCID-ebzh-bpks-5qe2
11
vulnerability VCID-ef5k-bdxm-xfer
12
vulnerability VCID-ggs5-4zac-vqa7
13
vulnerability VCID-gkn8-ehfa-3ugx
14
vulnerability VCID-k9yt-aj7x-3bht
15
vulnerability VCID-menx-yu2z-xkeh
16
vulnerability VCID-tqvb-a46r-jbf8
17
vulnerability VCID-uu3m-ef36-jqg7
18
vulnerability VCID-xe2v-j69t-d3h3
19
vulnerability VCID-xwgk-d28b-rbgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u5
aliases CVE-2022-25146, GHSA-ghw5-998m-vw4w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rtqu-78p2-buej
Fixing_vulnerabilities
0
url VCID-1jgz-k7zp-uydp
vulnerability_id VCID-1jgz-k7zp-uydp
summary 
Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-38002
reference_id
reference_type
scores
0
value 0.04275
scoring_system epss
scoring_elements 0.89044
published_at 2026-06-07T12:55:00Z
1
value 0.04275
scoring_system epss
scoring_elements 0.89043
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-38002
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002
reference_id CVE-2024-38002
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-22T15:21:03Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-38002
reference_id CVE-2024-38002
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-38002
4
reference_url https://github.com/advisories/GHSA-3mfq-fp2f-vwqh
reference_id GHSA-3mfq-fp2f-vwqh
reference_type
scores
url https://github.com/advisories/GHSA-3mfq-fp2f-vwqh
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-euw1-6mk1-n3he
3
vulnerability VCID-rtqu-78p2-buej
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
1
url pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u92
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u92
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27a1-teqk-cbe2
1
vulnerability VCID-5nq8-gsav-5ffq
2
vulnerability VCID-ebzh-bpks-5qe2
3
vulnerability VCID-ej5y-geq1-pkfn
4
vulnerability VCID-mbd8-z3ry-cqap
5
vulnerability VCID-mf9a-eusx-f3gb
6
vulnerability VCID-tqvb-a46r-jbf8
7
vulnerability VCID-xn1n-5rgc-83bg
8
vulnerability VCID-xv4h-g41b-c7c7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.4.13.u92
2
url pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.9
purl pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.9
3
url pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q4.6
purl pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q4.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q4.6
aliases CVE-2024-38002, GHSA-3mfq-fp2f-vwqh
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1jgz-k7zp-uydp
1
url VCID-turp-jxv8-1fgy
vulnerability_id VCID-turp-jxv8-1fgy
summary 
Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. This issue has been patched in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 Update 36.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-8980
reference_id
reference_type
scores
0
value 0.00381
scoring_system epss
scoring_elements 0.59889
published_at 2026-06-05T12:55:00Z
1
value 0.00381
scoring_system epss
scoring_elements 0.59883
published_at 2026-06-07T12:55:00Z
2
value 0.00381
scoring_system epss
scoring_elements 0.59892
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-8980
1
reference_url https://github.com/liferay/liferay-portal
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/liferay/liferay-portal
2
reference_url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980
reference_id CVE-2024-8980
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-22T15:02:17Z/
url https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-8980
reference_id CVE-2024-8980
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-8980
4
reference_url https://github.com/advisories/GHSA-chj2-4vg7-hhg3
reference_id GHSA-chj2-4vg7-hhg3
reference_type
scores
url https://github.com/advisories/GHSA-chj2-4vg7-hhg3
fixed_packages
0
url pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
purl pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cj4m-mvzh-ckh4
1
vulnerability VCID-ebzh-bpks-5qe2
2
vulnerability VCID-euw1-6mk1-n3he
3
vulnerability VCID-rtqu-78p2-buej
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36
1
url pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.5
purl pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@2023.Q3.5
aliases CVE-2024-8980, GHSA-chj2-4vg7-hhg3
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-turp-jxv8-1fgy
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u36