Search for packages
| purl | pkg:maven/com.liferay.portal/com.liferay.portal.kernel@38.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3hkn-drwj-hqdw
Aliases: CVE-2025-43770 GHSA-h4m4-xp33-37mj |
Liferay Portal vulnerable to Reflected XSS with the referer and forward parameter A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00 in those parameters. |
Affected by 0 other vulnerabilities. |
|
VCID-53r9-taqn-gkhc
Aliases: CVE-2025-43793 GHSA-xvgg-9h29-4g34 |
Liferay Portal has Improper Validation of Specified Quantity in Input Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application. |
Affected by 1 other vulnerability. |
|
VCID-my27-544c-77ck
Aliases: CVE-2025-43792 GHSA-vp64-77c6-33h8 |
Liferay Portal has External Control of System or Configuration Settings Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server’s shared secret and add the attacker controlled server to the staging server’s whitelist. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dxae-p6e2-qbay | Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests. |
CVE-2025-3526
GHSA-mf3r-6m25-3867 |
| VCID-x9pp-w4xg-vyhn | Liferay Portal defaults to a low work factor for the default password hashing algorithm The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. |
CVE-2024-25607
GHSA-43h9-p3j4-39hm |