Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/568546?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/568546?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@2.44.11", "type": "maven", "namespace": "com.liferay.portal", "name": "com.liferay.portal.impl", "version": "2.44.11", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108928?format=api", "vulnerability_id": "VCID-2fn6-apud-qbh4", "summary": "Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled\nAn insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41414", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42718", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42741", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.4273", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42682", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00206", "scoring_system": "epss", "scoring_elements": "0.42656", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41414" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/659c4422bd32b1db1a01a7f4a42b7702d512ffa2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/659c4422bd32b1db1a01a7f4a42b7702d512ffa2" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-01-insecure-defaults-auth-login-prompt-enabled?p_r_p_assetEntryId=121612026&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612026%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-01-insecure-defaults-auth-login-prompt-enabled?p_r_p_assetEntryId=121612026&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612026%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41414", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41414" }, { "reference_url": "https://github.com/advisories/GHSA-9427-7f65-88c8", "reference_id": "GHSA-9427-7f65-88c8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9427-7f65-88c8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145105?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@8.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-jq7b-2mag-vuab" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@8.0.0" } ], "aliases": [ "CVE-2022-41414", "GHSA-9427-7f65-88c8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2fn6-apud-qbh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57955?format=api", "vulnerability_id": "VCID-3wfa-bk1h-2bcm", "summary": "Liferay Portal JSONWS API endpoint shares sensitive information\nLiferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43768", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22776", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22827", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.2287", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22886", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43768" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/efdbdbce73605ecd13b1a5e60f5186cc59f09c16", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/efdbdbce73605ecd13b1a5e60f5186cc59f09c16" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-18154", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-18154" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768", "reference_id": "CVE-2025-43768", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-25T17:55:35Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43768", "reference_id": "CVE-2025-43768", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43768" }, { "reference_url": "https://github.com/advisories/GHSA-cv9j-mg9w-v7wm", "reference_id": "GHSA-cv9j-mg9w-v7wm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cv9j-mg9w-v7wm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86197?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@108.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@108.1.1" } ], "aliases": [ "CVE-2025-43768", "GHSA-cv9j-mg9w-v7wm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3wfa-bk1h-2bcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47576?format=api", "vulnerability_id": "VCID-5u3e-3ubp-vffe", "summary": "Liferay Portal has stored cross-site scripting (XSS) vulnerability\nA stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages via a crafted payload injected into the Instance Configuration's (1) CDN Host HTTP text field or (2) CDN Host HTTPS text field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43794", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1281", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12691", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12775", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12815", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43794" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43794", "reference_id": "CVE-2025-43794", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T11:58:07Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43794" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43794", "reference_id": "CVE-2025-43794", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43794" }, { "reference_url": "https://github.com/advisories/GHSA-r45v-2289-jgr4", "reference_id": "GHSA-r45v-2289-jgr4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r45v-2289-jgr4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69928?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0" } ], "aliases": [ "CVE-2025-43794", "GHSA-r45v-2289-jgr4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5u3e-3ubp-vffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47754?format=api", "vulnerability_id": "VCID-7nqg-kesu-6kcf", "summary": "Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC\nUnchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43801", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00224", "scoring_system": "epss", "scoring_elements": "0.45253", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00224", "scoring_system": "epss", "scoring_elements": "0.45205", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00224", "scoring_system": "epss", "scoring_elements": "0.45232", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00224", "scoring_system": "epss", "scoring_elements": "0.4525", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43801" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43801", "reference_id": "CVE-2025-43801", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:59Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43801" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43801", "reference_id": "CVE-2025-43801", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43801" }, { "reference_url": "https://github.com/advisories/GHSA-95h4-8mqc-4mpf", "reference_id": "GHSA-95h4-8mqc-4mpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-95h4-8mqc-4mpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70435?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0" } ], "aliases": [ "CVE-2025-43801", "GHSA-95h4-8mqc-4mpf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7nqg-kesu-6kcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111315?format=api", "vulnerability_id": "VCID-84qe-1wws-v3g6", "summary": "Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use\nIn implementation for the portal services before 5.7.3 in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33322", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45117", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45069", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45097", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45113", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45044", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33322" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8f072ee8527a1dd5c0ffa91c4a78641d0e666b95", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/8f072ee8527a1dd5c0ffa91c4a78641d0e666b95" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9fe453b34f58286a504d995be8ba50499adcf1b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9fe453b34f58286a504d995be8ba50499adcf1b7" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-16981", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-16981" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33322-password-change-does-not-invalidate-password-reset-tokens?p_r_p_assetEntryId=121610648&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121610648%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33322-password-change-does-not-invalidate-password-reset-tokens?p_r_p_assetEntryId=121610648&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121610648%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33322", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33322" }, { "reference_url": "https://github.com/advisories/GHSA-vwj8-4grf-3r8v", "reference_id": "GHSA-vwj8-4grf-3r8v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vwj8-4grf-3r8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/151934?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fn6-apud-qbh4" }, { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-eaks-bevz-uuc8" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-jq7b-2mag-vuab" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-uug8-ap5n-r3g2" }, { "vulnerability": "VCID-uv23-yfgk-87h9" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.7.3" } ], "aliases": [ "CVE-2021-33322", "GHSA-vwj8-4grf-3r8v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-84qe-1wws-v3g6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48156?format=api", "vulnerability_id": "VCID-b24q-c9nx-hkdy", "summary": "Liferay Portal Stores Password Reset Tokens in Plain Text\nLiferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62261", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07587", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07636", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07658", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07648", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62261" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17785", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17785" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62261", "reference_id": "CVE-2025-62261", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-28T14:27:39Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62261" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62261", "reference_id": "CVE-2025-62261", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62261" }, { "reference_url": "https://github.com/advisories/GHSA-xcj6-xpjg-c4xr", "reference_id": "GHSA-xcj6-xpjg-c4xr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xcj6-xpjg-c4xr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71159?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@92.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@92.0.2" } ], "aliases": [ "CVE-2025-62261", "GHSA-xcj6-xpjg-c4xr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b24q-c9nx-hkdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47090?format=api", "vulnerability_id": "VCID-eaks-bevz-uuc8", "summary": "Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery in Terms of Use Page\nCross-Site Request Forgery (CSRF) vulnerability in the terms of use page in the implementation for the portal services package before 5.25.0 from Liferay Portal (before 7.3.6), and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29050", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.6961", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69637", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69648", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69657", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.6965", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29050" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/1295dcd8173ac820e501d0e9b3bf1da97ea8b7d4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/1295dcd8173ac820e501d0e9b3bf1da97ea8b7d4" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f2723cb2e8dacfbd140ff5f255bb7d21a11c476d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/f2723cb2e8dacfbd140ff5f255bb7d21a11c476d" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17207", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17207" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29050", "reference_id": "CVE-2021-29050", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T16:14:38Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29050" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29050", "reference_id": "CVE-2021-29050", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29050" }, { "reference_url": "https://github.com/advisories/GHSA-mh9r-9pcx-rx55", "reference_id": "GHSA-mh9r-9pcx-rx55", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mh9r-9pcx-rx55" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69094?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fn6-apud-qbh4" }, { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-jq7b-2mag-vuab" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-uug8-ap5n-r3g2" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.25.0" } ], "aliases": [ "CVE-2021-29050", "GHSA-mh9r-9pcx-rx55" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaks-bevz-uuc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48091?format=api", "vulnerability_id": "VCID-gqz1-hhpv-zqg3", "summary": "Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget\nA reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07577", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07625", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07648", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07638", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62249" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249", "reference_id": "CVE-2025-62249", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T18:30:38Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62249", "reference_id": "CVE-2025-62249", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62249" }, { "reference_url": "https://github.com/advisories/GHSA-rx48-gqc2-4w47", "reference_id": "GHSA-rx48-gqc2-4w47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rx48-gqc2-4w47" } ], "fixed_packages": [], "aliases": [ "CVE-2025-62249", "GHSA-rx48-gqc2-4w47" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gqz1-hhpv-zqg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48020?format=api", "vulnerability_id": "VCID-hf4a-a5a6-dkbf", "summary": "Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key\nInsecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62252", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16609", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16691", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.1673", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16732", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62252" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17941", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17941" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252", "reference_id": "CVE-2025-62252", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-14T15:09:17Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62252", "reference_id": "CVE-2025-62252", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62252" }, { "reference_url": "https://github.com/advisories/GHSA-pfwq-mr9g-gq6m", "reference_id": "GHSA-pfwq-mr9g-gq6m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pfwq-mr9g-gq6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69928?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@99.0.0" } ], "aliases": [ "CVE-2025-62252", "GHSA-pfwq-mr9g-gq6m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hf4a-a5a6-dkbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48319?format=api", "vulnerability_id": "VCID-jq7b-2mag-vuab", "summary": "Liferay Portal and DXP use an incorrect cache-control header\nThe Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the browser's cache.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62276", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04985", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04939", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04977", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04999", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62276" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/36c080fc4522e46d69b5c3b4b9eb6aca5ff52699", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/36c080fc4522e46d69b5c3b4b9eb6aca5ff52699" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9781b594cffcd23583a1a0f93746fd20e3eb55bd", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9781b594cffcd23583a1a0f93746fd20e3eb55bd" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17701", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17701" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62276", "reference_id": "CVE-2025-62276", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-03T13:10:51Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62276" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62276", "reference_id": "CVE-2025-62276", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62276" }, { "reference_url": "https://github.com/advisories/GHSA-6533-fhr2-f38h", "reference_id": "GHSA-6533-fhr2-f38h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6533-fhr2-f38h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71311?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@69.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@69.1.0" } ], "aliases": [ "CVE-2025-62276", "GHSA-6533-fhr2-f38h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jq7b-2mag-vuab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47580?format=api", "vulnerability_id": "VCID-nac9-yhv8-73bh", "summary": "Liferay Portal has Improper Validation of Specified Quantity in Input\nLiferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43793", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25402", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25278", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25337", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25386", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43793" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43793", "reference_id": "CVE-2025-43793", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:53:26Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43793" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43793", "reference_id": "CVE-2025-43793", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43793" }, { "reference_url": "https://github.com/advisories/GHSA-xvgg-9h29-4g34", "reference_id": "GHSA-xvgg-9h29-4g34", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvgg-9h29-4g34" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69933?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@96.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@96.0.0" } ], "aliases": [ "CVE-2025-43793", "GHSA-xvgg-9h29-4g34" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nac9-yhv8-73bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47906?format=api", "vulnerability_id": "VCID-pf71-p73a-xyda", "summary": "Liferay Portal vulnerable to path traversal and denial-of-service in the ComboServlet\nPossible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43813", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41812", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41847", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41876", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41865", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43813" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/7acad68976e831a0f3b855752ad7874e03be1d43", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/7acad68976e831a0f3b855752ad7874e03be1d43" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9159075ede8a1656bf67a893a486c93a9e9fe70a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9159075ede8a1656bf67a893a486c93a9e9fe70a" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/9be57d358ae0f6181a138ce08f52b80e4b14778a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/9be57d358ae0f6181a138ce08f52b80e4b14778a" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17865", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17865" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43813", "reference_id": "CVE-2025-43813", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-30T14:45:14Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43813" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43813", "reference_id": "CVE-2025-43813", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43813" }, { "reference_url": "https://github.com/advisories/GHSA-2hm7-r8f3-423h", "reference_id": "GHSA-2hm7-r8f3-423h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2hm7-r8f3-423h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69933?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@96.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@96.0.0" } ], "aliases": [ "CVE-2025-43813", "GHSA-2hm7-r8f3-423h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pf71-p73a-xyda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48127?format=api", "vulnerability_id": "VCID-qvjw-8uev-jkds", "summary": "Liferay Portal ComboServlet denial of service via large file combination\nThe ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62254", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46095", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46048", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46074", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46094", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62254" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a5" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb664", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb664" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab3370536", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab3370536" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd235", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd235" }, { "reference_url": "https://liferay.atlassian.net/browse/LPE-17867", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/browse/LPE-17867" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254", "reference_id": "CVE-2025-62254", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-24T16:56:03Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62254", "reference_id": "CVE-2025-62254", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62254" }, { "reference_url": "https://github.com/advisories/GHSA-q95h-87j6-273x", "reference_id": "GHSA-q95h-87j6-273x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q95h-87j6-273x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71075?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@97.0.0" } ], "aliases": [ "CVE-2025-62254", "GHSA-q95h-87j6-273x" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qvjw-8uev-jkds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42941?format=api", "vulnerability_id": "VCID-uug8-ap5n-r3g2", "summary": "Liferay Portal and Liferay DXP fails to check permissions to view sites/groups\nLiferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29352", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29318", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29385", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.2942", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26595" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/5b958de42d93f1ba5879a0a20054b14ad7f145c4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/5b958de42d93f1ba5879a0a20054b14ad7f145c4" }, { "reference_url": "https://liferay.atlassian.net/issues/LPE-17367", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.atlassian.net/issues/LPE-17367" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26595-unauthorized-access-to-site-group-list?p_r_p_assetEntryId=121612195&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612195%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26595-unauthorized-access-to-site-group-list?p_r_p_assetEntryId=121612195&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612195%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26595", "reference_id": "CVE-2022-26595", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26595" }, { "reference_url": "https://github.com/advisories/GHSA-822f-jfpg-hg7h", "reference_id": "GHSA-822f-jfpg-hg7h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-822f-jfpg-hg7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61427?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@7.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@7.7.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/569766?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@7.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fn6-apud-qbh4" }, { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-jq7b-2mag-vuab" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@7.8.0" } ], "aliases": [ "CVE-2022-26595", "GHSA-822f-jfpg-hg7h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uug8-ap5n-r3g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111266?format=api", "vulnerability_id": "VCID-uv23-yfgk-87h9", "summary": "Liferay Portal and Liferay DXP insecure default configuration\nInsecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54805", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54812", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54802", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54785", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54744", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33321" }, { "reference_url": "https://github.com/liferay/liferay-portal", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/06df28c5ad618afed967fa485418e6cc29c70f38", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/06df28c5ad618afed967fa485418e6cc29c70f38" }, { "reference_url": "https://github.com/liferay/liferay-portal/commit/37de1d78d9b1c4a473e3233a6ea146c741075e18", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/liferay/liferay-portal/commit/37de1d78d9b1c4a473e3233a6ea146c741075e18" }, { "reference_url": "https://help.liferay.com/hc/en-us/articles/360050785632", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://help.liferay.com/hc/en-us/articles/360050785632" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33321", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33321" }, { "reference_url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055" }, { "reference_url": "https://github.com/advisories/GHSA-jfch-m2x3-2v66", "reference_id": "GHSA-jfch-m2x3-2v66", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfch-m2x3-2v66" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/151834?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fn6-apud-qbh4" }, { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-5u3e-3ubp-vffe" }, { "vulnerability": "VCID-7nqg-kesu-6kcf" }, { "vulnerability": "VCID-b24q-c9nx-hkdy" }, { "vulnerability": "VCID-eaks-bevz-uuc8" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-hf4a-a5a6-dkbf" }, { "vulnerability": "VCID-jq7b-2mag-vuab" }, { "vulnerability": "VCID-nac9-yhv8-73bh" }, { "vulnerability": "VCID-pf71-p73a-xyda" }, { "vulnerability": "VCID-qvjw-8uev-jkds" }, { "vulnerability": "VCID-uug8-ap5n-r3g2" }, { "vulnerability": "VCID-ys1x-s7ep-nfgq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@5.11.0" } ], "aliases": [ "CVE-2021-33321", "GHSA-jfch-m2x3-2v66" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uv23-yfgk-87h9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47817?format=api", "vulnerability_id": "VCID-ys1x-s7ep-nfgq", "summary": "Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability\nCross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43809", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.0113", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01125", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43809" }, { "reference_url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43809", "reference_id": "CVE-2025-43809", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-19T19:48:16Z/" } ], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43809" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43809", "reference_id": "CVE-2025-43809", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43809" }, { "reference_url": "https://github.com/advisories/GHSA-697h-3q6m-jwp4", "reference_id": "GHSA-697h-3q6m-jwp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-697h-3q6m-jwp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70435?format=api", "purl": "pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wfa-bk1h-2bcm" }, { "vulnerability": "VCID-gqz1-hhpv-zqg3" }, { "vulnerability": "VCID-nhp5-61h7-ryf4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@101.0.0" } ], "aliases": [ "CVE-2025-43809", "GHSA-697h-3q6m-jwp4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ys1x-s7ep-nfgq" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/com.liferay.portal.impl@2.44.11" }