| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-27a1-teqk-cbe2 |
| vulnerability_id |
VCID-27a1-teqk-cbe2 |
| summary |
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43776, GHSA-rcc7-jx7p-hrv4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-27a1-teqk-cbe2 |
|
| 1 |
| url |
VCID-2bcr-bxek-skfq |
| vulnerability_id |
VCID-2bcr-bxek-skfq |
| summary |
Liferay Portal vulnerable to password enumeration
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 2 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 3 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 4 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 5 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 6 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 7 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 8 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 9 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 10 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 11 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 12 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 13 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 14 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 15 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 16 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 17 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 18 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 19 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 20 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 21 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 22 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
|
|
| aliases |
CVE-2025-62257, GHSA-8hw3-ghwv-crfh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2bcr-bxek-skfq |
|
| 2 |
| url |
VCID-2dra-x6f5-xybz |
| vulnerability_id |
VCID-2dra-x6f5-xybz |
| summary |
Liferay Portal Reflected Cross-Site Scripting Vulnerability via PortalUtil.escapeRedirect
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43760, GHSA-fvqv-593q-qp8r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dra-x6f5-xybz |
|
| 3 |
| url |
VCID-2mtb-mdha-qufv |
| vulnerability_id |
VCID-2mtb-mdha-qufv |
| summary |
Liferay Portal Vulnerable to Cross-Site Request Forgery
Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.125 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.125 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 2 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 3 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 4 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 5 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 6 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 7 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 8 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 9 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 10 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 11 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 12 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 13 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 14 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 15 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 16 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 17 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 18 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 19 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 20 |
| vulnerability |
VCID-u1pr-9cpx-q3hg |
|
| 21 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 22 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.125 |
|
|
| aliases |
CVE-2025-43748, GHSA-p9gc-59hf-x48p
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2mtb-mdha-qufv |
|
| 4 |
| url |
VCID-434b-p73k-5fam |
| vulnerability_id |
VCID-434b-p73k-5fam |
| summary |
Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43746, GHSA-mpww-r37c-vxjw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-434b-p73k-5fam |
|
| 5 |
| url |
VCID-4kym-jhtn-cfa3 |
| vulnerability_id |
VCID-4kym-jhtn-cfa3 |
| summary |
Liferay Portal Vulnerable to Cross-Site Scripting via assetTagNames Parameter
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip in the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43741, GHSA-j6p8-g3rj-ghpm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4kym-jhtn-cfa3 |
|
| 6 |
| url |
VCID-4xqq-69ab-1qew |
| vulnerability_id |
VCID-4xqq-69ab-1qew |
| summary |
Liferay Portal Username Enumeration Vulnerability
Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43754, GHSA-x7p4-v8mj-6fxx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4xqq-69ab-1qew |
|
| 7 |
| url |
VCID-8xx2-vtnr-dubu |
| vulnerability_id |
VCID-8xx2-vtnr-dubu |
| summary |
Liferay Portal Login Bypass Vulnerability
Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3639, GHSA-g4wg-mpfg-x2q6
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8xx2-vtnr-dubu |
|
| 8 |
| url |
VCID-brjh-tyur-ebc8 |
| vulnerability_id |
VCID-brjh-tyur-ebc8 |
| summary |
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43785, GHSA-66x6-8jgv-qpfh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-brjh-tyur-ebc8 |
|
| 9 |
| url |
VCID-by7b-2zr9-y3dj |
| vulnerability_id |
VCID-by7b-2zr9-y3dj |
| summary |
Liferay Portal CSRF Vulnerability via Endpoint Parameter
A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43745, GHSA-7q33-gwcm-r6cj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-by7b-2zr9-y3dj |
|
| 10 |
| url |
VCID-ca62-h2qv-v7bg |
| vulnerability_id |
VCID-ca62-h2qv-v7bg |
| summary |
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-4655, GHSA-c6g5-g6r7-q4j6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ca62-h2qv-v7bg |
|
| 11 |
| url |
VCID-csnj-331s-43ea |
| vulnerability_id |
VCID-csnj-331s-43ea |
| summary |
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-2536, GHSA-hrc4-p2h3-pjqw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-csnj-331s-43ea |
|
| 12 |
| url |
VCID-ebzh-bpks-5qe2 |
| vulnerability_id |
VCID-ebzh-bpks-5qe2 |
| summary |
Liferay Cross-site Scripting vulnerability
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-3760, GHSA-qhp6-vp7c-g7xp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ebzh-bpks-5qe2 |
|
| 13 |
| url |
VCID-evap-nt9g-akf6 |
| vulnerability_id |
VCID-evap-nt9g-akf6 |
| summary |
Liferay Portal Vulnerable to Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43731, GHSA-3p2m-574v-v257
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-evap-nt9g-akf6 |
|
| 14 |
| url |
VCID-g41m-xvk2-xfda |
| vulnerability_id |
VCID-g41m-xvk2-xfda |
| summary |
Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43734, GHSA-m5c7-5gv3-hcpf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g41m-xvk2-xfda |
|
| 15 |
| url |
VCID-ggmh-6ef8-7ufj |
| vulnerability_id |
VCID-ggmh-6ef8-7ufj |
| summary |
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-4581, GHSA-6v93-frf9-2rp8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ggmh-6ef8-7ufj |
|
| 16 |
| url |
VCID-gyge-7d5c-6uhz |
| vulnerability_id |
VCID-gyge-7d5c-6uhz |
| summary |
Liferay Portal's Unlimited File Upload Could Result in DoS
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to cause a potential DDoS. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43752, GHSA-qpp6-f3qj-rggq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gyge-7d5c-6uhz |
|
| 17 |
| url |
VCID-j3pc-gwg6-qfbs |
| vulnerability_id |
VCID-j3pc-gwg6-qfbs |
| summary |
Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels
A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43744, GHSA-m49p-6cjp-x2h3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j3pc-gwg6-qfbs |
|
| 18 |
| url |
VCID-ksvn-b6hv-hfa7 |
| vulnerability_id |
VCID-ksvn-b6hv-hfa7 |
| summary |
Liferay Portal Enumeration Discrepancy in Calendars
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43743, GHSA-g4vp-4gqr-7v8c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| url |
VCID-nhp5-61h7-ryf4 |
| vulnerability_id |
VCID-nhp5-61h7-ryf4 |
| summary |
Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43735, GHSA-222w-xmc5-jhp3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhp5-61h7-ryf4 |
|
| 20 |
| url |
VCID-rns1-e6pd-tkex |
| vulnerability_id |
VCID-rns1-e6pd-tkex |
| summary |
Liferay Portal Vulnerable to XSS in Web Content translation
Stored Cross-site Scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 2 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 3 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 4 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 5 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 6 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 7 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 8 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 9 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 10 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 11 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 12 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 13 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 14 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 15 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 16 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 17 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 18 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 19 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 20 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 21 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 22 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.120 |
|
|
| aliases |
CVE-2025-43826, GHSA-qh92-cr5f-3595
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rns1-e6pd-tkex |
|
| 21 |
| url |
VCID-s86p-ew9a-rkgt |
| vulnerability_id |
VCID-s86p-ew9a-rkgt |
| summary |
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43736, GHSA-cg99-m88x-422c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s86p-ew9a-rkgt |
|
| 22 |
| url |
VCID-sw28-urg9-tqgd |
| vulnerability_id |
VCID-sw28-urg9-tqgd |
| summary |
Liferay Portal and Liferay DXP Reveals Data via Forms
The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-2565, GHSA-9fcg-wrp8-qhr4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sw28-urg9-tqgd |
|
| 23 |
| url |
VCID-w7z4-h1ug-z3cq |
| vulnerability_id |
VCID-w7z4-h1ug-z3cq |
| summary |
Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-43757, GHSA-62pf-hcwj-rcfc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w7z4-h1ug-z3cq |
|
| 24 |
| url |
VCID-wpqk-8fd9-p3ex |
| vulnerability_id |
VCID-wpqk-8fd9-p3ex |
| summary |
Liferay Portal Unauthenticated File Access via URL
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-43749, GHSA-5fx5-cff6-f3fp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wpqk-8fd9-p3ex |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-11qf-d5xp-4fey |
| vulnerability_id |
VCID-11qf-d5xp-4fey |
| summary |
Liferay Portal vulnerable to cross-site scripting in the web content template
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a web content structure's Name text field |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43812, GHSA-jv8x-mm3v-75r7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-11qf-d5xp-4fey |
|
| 1 |
| url |
VCID-1jgz-k7zp-uydp |
| vulnerability_id |
VCID-1jgz-k7zp-uydp |
| summary |
Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2024-38002, GHSA-3mfq-fp2f-vwqh
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1jgz-k7zp-uydp |
|
| 2 |
| url |
VCID-5732-ffyz-9fh5 |
| vulnerability_id |
VCID-5732-ffyz-9fh5 |
| summary |
Liferay Profile Widget does not prevent vCard extension spoofing
The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43824, GHSA-pfxj-gvqg-mj44
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5732-ffyz-9fh5 |
|
| 3 |
| url |
VCID-ce9p-rwsz-zkf6 |
| vulnerability_id |
VCID-ce9p-rwsz-zkf6 |
| summary |
Liferay Portal is vulnerable to Stored XSS through Forms text type field
Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43830, GHSA-378f-8q54-3fqx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ce9p-rwsz-zkf6 |
|
| 4 |
| url |
VCID-d56y-s4zt-uyd7 |
| vulnerability_id |
VCID-d56y-s4zt-uyd7 |
| summary |
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/liferay/liferay-portal |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/liferay/liferay-portal |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-62264, GHSA-2j97-4jmq-c4xf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d56y-s4zt-uyd7 |
|
| 5 |
| url |
VCID-qy5u-7m7g-4ben |
| vulnerability_id |
VCID-qy5u-7m7g-4ben |
| summary |
Liferay Portal is vulnerable to XSS through its Commerce Search Result widget
Cross-site Scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43823, GHSA-xx7h-2wf7-hc7p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qy5u-7m7g-4ben |
|
| 6 |
| url |
VCID-r363-kggk-k3ds |
| vulnerability_id |
VCID-r363-kggk-k3ds |
| summary |
Liferay Portal is vulnerable to XSS in the Blogs widget
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field.
The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-62265, GHSA-56jv-4ww3-65mw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r363-kggk-k3ds |
|
| 7 |
| url |
VCID-su57-hncy-5qg4 |
| vulnerability_id |
VCID-su57-hncy-5qg4 |
| summary |
Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43817, GHSA-m4hg-46pw-6mmv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-su57-hncy-5qg4 |
|
| 8 |
| url |
VCID-ynk1-3fye-bfcx |
| vulnerability_id |
VCID-ynk1-3fye-bfcx |
| summary |
Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page
Multiple stored Cross-site Scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| purl |
pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-27a1-teqk-cbe2 |
|
| 1 |
| vulnerability |
VCID-2bcr-bxek-skfq |
|
| 2 |
| vulnerability |
VCID-2dra-x6f5-xybz |
|
| 3 |
| vulnerability |
VCID-2mtb-mdha-qufv |
|
| 4 |
| vulnerability |
VCID-434b-p73k-5fam |
|
| 5 |
| vulnerability |
VCID-4kym-jhtn-cfa3 |
|
| 6 |
| vulnerability |
VCID-4xqq-69ab-1qew |
|
| 7 |
| vulnerability |
VCID-8xx2-vtnr-dubu |
|
| 8 |
| vulnerability |
VCID-brjh-tyur-ebc8 |
|
| 9 |
| vulnerability |
VCID-by7b-2zr9-y3dj |
|
| 10 |
| vulnerability |
VCID-ca62-h2qv-v7bg |
|
| 11 |
| vulnerability |
VCID-csnj-331s-43ea |
|
| 12 |
| vulnerability |
VCID-ebzh-bpks-5qe2 |
|
| 13 |
| vulnerability |
VCID-evap-nt9g-akf6 |
|
| 14 |
| vulnerability |
VCID-g41m-xvk2-xfda |
|
| 15 |
| vulnerability |
VCID-ggmh-6ef8-7ufj |
|
| 16 |
| vulnerability |
VCID-gyge-7d5c-6uhz |
|
| 17 |
| vulnerability |
VCID-j3pc-gwg6-qfbs |
|
| 18 |
| vulnerability |
VCID-ksvn-b6hv-hfa7 |
|
| 19 |
| vulnerability |
VCID-nhp5-61h7-ryf4 |
|
| 20 |
| vulnerability |
VCID-rns1-e6pd-tkex |
|
| 21 |
| vulnerability |
VCID-s86p-ew9a-rkgt |
|
| 22 |
| vulnerability |
VCID-sw28-urg9-tqgd |
|
| 23 |
| vulnerability |
VCID-w7z4-h1ug-z3cq |
|
| 24 |
| vulnerability |
VCID-wpqk-8fd9-p3ex |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.3.112-ga112 |
|
|
| aliases |
CVE-2025-43822, GHSA-4mqx-4p8g-995w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ynk1-3fye-bfcx |
|
|
|---|