VulnerableCode Package Details - pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17

Essentials
History (23)

purl	pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp17

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (13)

Vulnerability	Summary	Aliases
VCID-1u2t-e6c5-yfez		CVE-2022-42121 GHSA-gxxj-fhmr-37j9
VCID-2q68-bkeh-t7aw	Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.	CVE-2024-25603 GHSA-44jg-jgjx-3xg5
VCID-5628-87wr-nybq	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field	CVE-2024-25602 GHSA-v2xq-m22w-jmpr
VCID-89zv-ajmx-87bh	Liferay Portal defaults to a low work factor for the default password hashing algorithm The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.	CVE-2024-25607 GHSA-43h9-p3j4-39hm
VCID-e41e-8hvb-nkas	Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget.	CVE-2024-26266 GHSA-rwxc-4cmw-7x75
VCID-ec3h-msg4-8ugx		CVE-2022-42110 GHSA-2qwm-9mg5-jwq8
VCID-gf41-q7x8-gfbx	Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.	CVE-2021-29038 GHSA-mwhf-6mjm-6w3h
VCID-hm6a-7agu-x7hw	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.	CVE-2024-25152 GHSA-p28x-4r5h-ph6j
VCID-hpwb-nks5-1qak	Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.	CVE-2024-25605 GHSA-mf8h-grfg-j9j3
VCID-jnax-5hm7-h7hs	Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions to Edit Permissions Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.	CVE-2024-25604 GHSA-pw7p-3648-qqmg
VCID-pq34-3vhq-vbfv		CVE-2022-42132 GHSA-f43m-hhj4-q3jg
VCID-q2b7-dznb-sbhc	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.	CVE-2024-25145 GHSA-9vgq-w5pv-v77q
VCID-qr3x-2ch3-v3cv	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.	CVE-2024-25601 GHSA-cr36-3vqf-x5w5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T01:02:14.899630+00:00	GHSA Importer	Fixing	VCID-2q68-bkeh-t7aw	https://github.com/advisories/GHSA-44jg-jgjx-3xg5	38.6.0
2026-05-31T01:02:14.869578+00:00	GHSA Importer	Fixing	VCID-e41e-8hvb-nkas	https://github.com/advisories/GHSA-rwxc-4cmw-7x75	38.6.0
2026-05-31T01:02:14.805424+00:00	GHSA Importer	Fixing	VCID-5628-87wr-nybq	https://github.com/advisories/GHSA-v2xq-m22w-jmpr	38.6.0
2026-05-31T01:02:14.504958+00:00	GHSA Importer	Fixing	VCID-qr3x-2ch3-v3cv	https://github.com/advisories/GHSA-cr36-3vqf-x5w5	38.6.0
2026-05-31T01:02:14.067110+00:00	GHSA Importer	Fixing	VCID-hm6a-7agu-x7hw	https://github.com/advisories/GHSA-p28x-4r5h-ph6j	38.6.0
2026-05-31T01:02:13.784339+00:00	GHSA Importer	Fixing	VCID-gf41-q7x8-gfbx	https://github.com/advisories/GHSA-mwhf-6mjm-6w3h	38.6.0
2026-05-31T01:02:11.392452+00:00	GHSA Importer	Fixing	VCID-89zv-ajmx-87bh	https://github.com/advisories/GHSA-43h9-p3j4-39hm	38.6.0
2026-05-31T01:02:10.939656+00:00	GHSA Importer	Fixing	VCID-jnax-5hm7-h7hs	https://github.com/advisories/GHSA-pw7p-3648-qqmg	38.6.0
2026-05-31T01:02:10.674825+00:00	GHSA Importer	Fixing	VCID-hpwb-nks5-1qak	https://github.com/advisories/GHSA-mf8h-grfg-j9j3	38.6.0
2026-05-31T01:01:59.704883+00:00	GHSA Importer	Fixing	VCID-q2b7-dznb-sbhc	https://github.com/advisories/GHSA-9vgq-w5pv-v77q	38.6.0
2026-05-31T01:01:18.021423+00:00	GHSA Importer	Fixing	VCID-pq34-3vhq-vbfv	https://github.com/advisories/GHSA-f43m-hhj4-q3jg	38.6.0
2026-05-31T01:01:17.724131+00:00	GHSA Importer	Fixing	VCID-ec3h-msg4-8ugx	https://github.com/advisories/GHSA-2qwm-9mg5-jwq8	38.6.0
2026-05-31T01:01:17.428582+00:00	GHSA Importer	Fixing	VCID-1u2t-e6c5-yfez	https://github.com/advisories/GHSA-gxxj-fhmr-37j9	38.6.0
2026-05-30T21:03:25.437448+00:00	GitLab Importer	Fixing	VCID-2q68-bkeh-t7aw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25603.yml	38.6.0
2026-05-30T21:03:25.073562+00:00	GitLab Importer	Fixing	VCID-qr3x-2ch3-v3cv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25601.yml	38.6.0
2026-05-30T21:03:24.624869+00:00	GitLab Importer	Fixing	VCID-e41e-8hvb-nkas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-26266.yml	38.6.0
2026-05-30T21:03:24.571153+00:00	GitLab Importer	Fixing	VCID-gf41-q7x8-gfbx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2021-29038.yml	38.6.0
2026-05-30T21:03:24.442968+00:00	GitLab Importer	Fixing	VCID-5628-87wr-nybq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25602.yml	38.6.0
2026-05-30T21:03:23.966588+00:00	GitLab Importer	Fixing	VCID-hm6a-7agu-x7hw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25152.yml	38.6.0
2026-05-30T21:03:23.600696+00:00	GitLab Importer	Fixing	VCID-jnax-5hm7-h7hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25604.yml	38.6.0
2026-05-30T21:03:22.677599+00:00	GitLab Importer	Fixing	VCID-89zv-ajmx-87bh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25607.yml	38.6.0
2026-05-30T21:03:22.308014+00:00	GitLab Importer	Fixing	VCID-hpwb-nks5-1qak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25605.yml	38.6.0
2026-05-30T21:03:14.171537+00:00	GitLab Importer	Fixing	VCID-q2b7-dznb-sbhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.dxp.bom/CVE-2024-25145.yml	38.6.0