Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0

Type maven

Namespace com.liferay.portal

Name com.liferay.portal.impl

Version 97.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-an8p-2hjj-pkd5

vulnerability_id VCID-an8p-2hjj-pkd5

summary Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages via a crafted payload injected into the Instance Configuration's (1) CDN Host HTTP text field or (2) CDN Host HTTPS text field.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43794

reference_id

reference_type

scores

value	0.00041
scoring_system	epss
scoring_elements	0.12807
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43794

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43794

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43794

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43794

reference_id

CVE-2025-43794

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T11:58:07Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43794

reference_url	https://github.com/advisories/GHSA-r45v-2289-jgr4
reference_id	GHSA-r45v-2289-jgr4
reference_type
scores
url	https://github.com/advisories/GHSA-r45v-2289-jgr4

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-hzv7-nyc7-fbbd

vulnerability	VCID-n3ep-1v8x-fqb3

vulnerability	VCID-p4ab-v294-4ff3

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

aliases CVE-2025-43794, GHSA-r45v-2289-jgr4

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-an8p-2hjj-pkd5

url VCID-d5pp-pwcf-c3ga

vulnerability_id VCID-d5pp-pwcf-c3ga

summary Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-62252

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16702
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-62252

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152

reference_url

https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238

reference_url

https://liferay.atlassian.net/browse/LPE-17941

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://liferay.atlassian.net/browse/LPE-17941

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252

reference_id

CVE-2025-62252

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-14T15:09:17Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62252

reference_id

CVE-2025-62252

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62252

reference_url

https://github.com/advisories/GHSA-pfwq-mr9g-gq6m

reference_id

GHSA-pfwq-mr9g-gq6m

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pfwq-mr9g-gq6m

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-hzv7-nyc7-fbbd

vulnerability	VCID-n3ep-1v8x-fqb3

vulnerability	VCID-p4ab-v294-4ff3

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0

aliases CVE-2025-62252, GHSA-pfwq-mr9g-gq6m

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d5pp-pwcf-c3ga

url VCID-hthn-qn9g-u3dv

vulnerability_id VCID-hthn-qn9g-u3dv

summary A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43735

reference_id

reference_type

scores

value	0.00208
scoring_system	epss
scoring_elements	0.43261
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43735

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://github.com/liferay/liferay-portal/commit/64d19e457ffc9876fd159a907741618843d7aadb

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/64d19e457ffc9876fd159a907741618843d7aadb

reference_url

https://liferay.atlassian.net/browse/LPE-18158

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://liferay.atlassian.net/browse/LPE-18158

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43735

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43735

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43735

reference_id

CVE-2025-43735

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-12T13:31:05Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43735

reference_url	https://github.com/advisories/GHSA-222w-xmc5-jhp3
reference_id	GHSA-222w-xmc5-jhp3
reference_type
scores
url	https://github.com/advisories/GHSA-222w-xmc5-jhp3

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@109.1.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@109.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@109.1.0

aliases CVE-2025-43735, GHSA-222w-xmc5-jhp3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hthn-qn9g-u3dv

url VCID-hzv7-nyc7-fbbd

vulnerability_id VCID-hzv7-nyc7-fbbd

summary Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43809

reference_id

reference_type

scores

value	0.0001
scoring_system	epss
scoring_elements	0.01127
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43809

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43809

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43809

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43809

reference_id

CVE-2025-43809

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-19T19:48:16Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43809

reference_url	https://github.com/advisories/GHSA-697h-3q6m-jwp4
reference_id	GHSA-697h-3q6m-jwp4
reference_type
scores
url	https://github.com/advisories/GHSA-697h-3q6m-jwp4

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-p4ab-v294-4ff3

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

aliases CVE-2025-43809, GHSA-697h-3q6m-jwp4

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hzv7-nyc7-fbbd

url VCID-n3ep-1v8x-fqb3

vulnerability_id VCID-n3ep-1v8x-fqb3

summary Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43801

reference_id

reference_type

scores

value	0.00224
scoring_system	epss
scoring_elements	0.45273
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43801

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43801

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43801

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43801

reference_id

CVE-2025-43801

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:59Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43801

reference_url	https://github.com/advisories/GHSA-95h4-8mqc-4mpf
reference_id	GHSA-95h4-8mqc-4mpf
reference_type
scores
url	https://github.com/advisories/GHSA-95h4-8mqc-4mpf

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-p4ab-v294-4ff3

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0

aliases CVE-2025-43801, GHSA-95h4-8mqc-4mpf

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n3ep-1v8x-fqb3

url VCID-p4ab-v294-4ff3

vulnerability_id VCID-p4ab-v294-4ff3

summary Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-43768

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24122
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-43768

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://github.com/liferay/liferay-portal/commit/efdbdbce73605ecd13b1a5e60f5186cc59f09c16

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/efdbdbce73605ecd13b1a5e60f5186cc59f09c16

reference_url

https://liferay.atlassian.net/browse/LPE-18154

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://liferay.atlassian.net/browse/LPE-18154

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-43768

reference_id

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-43768

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768

reference_id

CVE-2025-43768

reference_type

scores

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-25T17:55:35Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768

reference_url	https://github.com/advisories/GHSA-cv9j-mg9w-v7wm
reference_id	GHSA-cv9j-mg9w-v7wm
reference_type
scores
url	https://github.com/advisories/GHSA-cv9j-mg9w-v7wm

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@108.1.1

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@108.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@108.1.1

aliases CVE-2025-43768, GHSA-cv9j-mg9w-v7wm

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p4ab-v294-4ff3

url

VCID-wy9a-wcxp-gfdw

vulnerability_id

VCID-wy9a-wcxp-gfdw

summary

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-62249

reference_id

reference_type

scores

value	0.00025
scoring_system	epss
scoring_elements	0.07632
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-62249

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5

reference_url

https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791

reference_url

https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249

reference_id

CVE-2025-62249

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T18:30:38Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62249

reference_id

CVE-2025-62249

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62249

reference_url

https://github.com/advisories/GHSA-rx48-gqc2-4w47

reference_id

GHSA-rx48-gqc2-4w47

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rx48-gqc2-4w47

fixed_packages

aliases

CVE-2025-62249, GHSA-rx48-gqc2-4w47

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-wy9a-wcxp-gfdw

Fixing_vulnerabilities

url VCID-pndz-ctxn-1uht

vulnerability_id VCID-pndz-ctxn-1uht

summary The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-62254

reference_id

reference_type

scores

value	0.00231
scoring_system	epss
scoring_elements	0.46114
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-62254

reference_url

https://github.com/liferay/liferay-portal

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal

reference_url

https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a5

reference_url

https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb664

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb664

reference_url

https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab3370536

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab3370536

reference_url

https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd235

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd235

reference_url

https://liferay.atlassian.net/browse/LPE-17867

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://liferay.atlassian.net/browse/LPE-17867

reference_url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254

reference_id

CVE-2025-62254

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-24T16:56:03Z/

url

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62254

reference_id

CVE-2025-62254

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62254

reference_url

https://github.com/advisories/GHSA-q95h-87j6-273x

reference_id

GHSA-q95h-87j6-273x

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q95h-87j6-273x

fixed_packages

url pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0

purl pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-an8p-2hjj-pkd5

vulnerability	VCID-d5pp-pwcf-c3ga

vulnerability	VCID-hthn-qn9g-u3dv

vulnerability	VCID-hzv7-nyc7-fbbd

vulnerability	VCID-n3ep-1v8x-fqb3

vulnerability	VCID-p4ab-v294-4ff3

vulnerability	VCID-wy9a-wcxp-gfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0

aliases CVE-2025-62254, GHSA-q95h-87j6-273x

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pndz-ctxn-1uht

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0

Package Instance