Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.132
purl pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.132
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk
Vulnerabilities affecting this package (18)
Vulnerability Summary Fixed by
VCID-2wm6-yd62-y7cz
Aliases:
CVE-2025-43736
GHSA-cg99-m88x-422c
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service. There are no reported fixed by versions.
VCID-68u4-q6vh-uqda
Aliases:
CVE-2025-43746
GHSA-mpww-r37c-vxjw
Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter. There are no reported fixed by versions.
VCID-9sb7-qrgp-1yf9
Aliases:
CVE-2025-43745
GHSA-7q33-gwcm-r6cj
Liferay Portal CSRF Vulnerability via Endpoint Parameter A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter. There are no reported fixed by versions.
VCID-a3ry-pezq-9bg9
Aliases:
CVE-2025-43749
GHSA-5fx5-cff6-f3fp
Liferay Portal Unauthenticated File Access via URL Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library. There are no reported fixed by versions.
VCID-cbt7-tube-jkgz
Aliases:
CVE-2025-43743
GHSA-g4vp-4gqr-7v8c
Liferay Portal Enumeration Discrepancy in Calendars Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. There are no reported fixed by versions.
VCID-dnv6-swpp-cuee
Aliases:
CVE-2025-43776
GHSA-rcc7-jx7p-hrv4
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping. There are no reported fixed by versions.
VCID-erjj-fcds-2ydh
Aliases:
CVE-2025-43731
GHSA-3p2m-574v-v257
Liferay Portal Vulnerable to Cross-Site Scripting A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories. There are no reported fixed by versions.
VCID-fbkn-d96m-gyas
Aliases:
CVE-2025-43734
GHSA-m5c7-5gv3-hcpf
Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page. There are no reported fixed by versions.
VCID-gu3f-jgwd-suez
Aliases:
CVE-2025-43740
GHSA-22jp-w3cg-gvmm
Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface. Liferay Portal is fixed on the master branch from commit c1b7c6b. There are no reported fixed by versions.
VCID-gv9f-cur9-2be3
Aliases:
CVE-2025-43752
GHSA-qpp6-f3qj-rggq
Liferay Portal's Unlimited File Upload Could Result in DoS Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to cause a potential DDoS. There are no reported fixed by versions.
VCID-hrcr-arpj-t7h1
Aliases:
CVE-2025-43760
GHSA-fvqv-593q-qp8r
Liferay Portal Reflected Cross-Site Scripting Vulnerability via PortalUtil.escapeRedirect A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect There are no reported fixed by versions.
VCID-ht7d-5a1n-vyap
Aliases:
CVE-2025-43757
GHSA-62pf-hcwj-rcfc
Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. There are no reported fixed by versions.
VCID-j4w5-6t6r-3fer
Aliases:
CVE-2025-43754
GHSA-x7p4-v8mj-6fxx
Liferay Portal Username Enumeration Vulnerability Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request. There are no reported fixed by versions.
VCID-jhpw-jb9e-xqhj
Aliases:
CVE-2025-4581
GHSA-6v93-frf9-2rp8
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation. There are no reported fixed by versions.
VCID-mwc1-h7hq-y3fg
Aliases:
CVE-2025-43741
GHSA-j6p8-g3rj-ghpm
Liferay Portal Vulnerable to Cross-Site Scripting via assetTagNames Parameter A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip in the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter There are no reported fixed by versions.
VCID-pr4k-p1kc-gfdt
Aliases:
CVE-2025-43744
GHSA-m49p-6cjp-x2h3
Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding. There are no reported fixed by versions.
VCID-q9n2-r73c-v3cg
Aliases:
CVE-2025-3639
GHSA-g4wg-mpfg-x2q6
Liferay Portal Login Bypass Vulnerability Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. There are no reported fixed by versions.
VCID-zg4c-t4b5-rkgq
Aliases:
CVE-2025-4655
GHSA-c6g5-g6r7-q4j6
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs. There are no reported fixed by versions.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-6e8x-qeby-u3d1 Liferay Cross-site Scripting vulnerability A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. CVE-2025-3760
GHSA-qhp6-vp7c-g7xp
VCID-daxj-5xz8-d3g3 Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. CVE-2025-43735
GHSA-222w-xmc5-jhp3

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T07:43:16.661912+00:00 GitLab Importer Affected by VCID-dnv6-swpp-cuee https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43776.yml 38.6.0
2026-05-30T07:36:50.151898+00:00 GitLab Importer Affected by VCID-hrcr-arpj-t7h1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43760.yml 38.6.0
2026-05-30T07:36:41.794054+00:00 GitLab Importer Affected by VCID-gv9f-cur9-2be3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43752.yml 38.6.0
2026-05-30T07:36:33.132345+00:00 GitLab Importer Affected by VCID-j4w5-6t6r-3fer https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43754.yml 38.6.0
2026-05-30T07:36:27.124394+00:00 GitLab Importer Affected by VCID-ht7d-5a1n-vyap https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43757.yml 38.6.0
2026-05-30T07:36:26.741361+00:00 GitLab Importer Affected by VCID-68u4-q6vh-uqda https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43746.yml 38.6.0
2026-05-30T07:36:16.149169+00:00 GitLab Importer Affected by VCID-a3ry-pezq-9bg9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43749.yml 38.6.0
2026-05-30T07:36:15.671988+00:00 GitLab Importer Affected by VCID-mwc1-h7hq-y3fg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43741.yml 38.6.0
2026-05-30T07:36:11.508574+00:00 GitLab Importer Affected by VCID-9sb7-qrgp-1yf9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43745.yml 38.6.0
2026-05-30T07:36:06.932973+00:00 GitLab Importer Affected by VCID-gu3f-jgwd-suez https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43740.yml 38.6.0
2026-05-30T07:36:02.046614+00:00 GitLab Importer Affected by VCID-pr4k-p1kc-gfdt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43744.yml 38.6.0
2026-05-30T07:35:58.279668+00:00 GitLab Importer Affected by VCID-cbt7-tube-jkgz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43743.yml 38.6.0
2026-05-30T07:35:55.338951+00:00 GitLab Importer Affected by VCID-erjj-fcds-2ydh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43731.yml 38.6.0
2026-05-30T07:35:52.247736+00:00 GitLab Importer Affected by VCID-q9n2-r73c-v3cg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-3639.yml 38.6.0
2026-05-30T07:35:18.536287+00:00 GitLab Importer Affected by VCID-fbkn-d96m-gyas https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43734.yml 38.6.0
2026-05-30T07:34:59.302856+00:00 GitLab Importer Fixing VCID-daxj-5xz8-d3g3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43735.yml 38.6.0
2026-05-30T07:34:51.871779+00:00 GitLab Importer Affected by VCID-2wm6-yd62-y7cz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-43736.yml 38.6.0
2026-05-30T07:34:49.603936+00:00 GitLab Importer Affected by VCID-jhpw-jb9e-xqhj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-4581.yml 38.6.0
2026-05-30T07:34:48.789624+00:00 GitLab Importer Affected by VCID-zg4c-t4b5-rkgq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-4655.yml 38.6.0
2026-05-30T07:23:58.336883+00:00 GitLab Importer Fixing VCID-6e8x-qeby-u3d1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.liferay.portal/release.portal.bom/CVE-2025-3760.yml 38.6.0
2026-05-29T09:00:30.035516+00:00 GithubOSV Importer Fixing VCID-daxj-5xz8-d3g3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-222w-xmc5-jhp3/GHSA-222w-xmc5-jhp3.json 38.6.0
2026-05-29T08:58:34.289455+00:00 GithubOSV Importer Fixing VCID-6e8x-qeby-u3d1 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json 38.6.0