Liferay Digital Experience Platform vulnerabilities

264 known vulnerabilities affecting liferay/digital_experience_platform.

Total CVEs
264
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
HIGH31MEDIUM224LOW9

Vulnerabilities

Page 6 of 14
CVE-2025-43762MEDIUMCVSS 5.3≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-22
CVE-2025-43762 [MEDIUM] CWE-770 CVE-2025-43762: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allo
nvd
CVE-2025-43758MEDIUMCVSS 5.3≥ 2024.Q1.1, < 2024.Q1.16≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-22
CVE-2025-43758 [MEDIUM] CWE-552 CVE-2025-43758: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library
nvd
CVE-2025-43760MEDIUMCVSS 5.3≥ 2024.Q1.1, ≤ 2024.Q1.20≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-22
CVE-2025-43760 [MEDIUM] CWE-79 CVE-2025-43760: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript
nvd
CVE-2025-43751MEDIUMCVSS 6.9≥ 2023.Q3.1, ≤ 2023.Q3.10≥ 2023.q4.0, ≤ 2023.q4.10+5 more2025-08-22
CVE-2025-43751 [MEDIUM] CWE-203 CVE-2025-43751: User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exis
nvd
CVE-2025-43761MEDIUMCVSS 6.9≥ 2024.Q1.1, < 2024.Q1.13≥ 2024.q2.0, ≤ 2024.q2.13+3 more2025-08-22
CVE-2025-43761 [MEDIUM] CWE-79 CVE-2025-43761: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-
nvd
CVE-2025-43747MEDIUMCVSS 4.8≥ 2025.Q2.0, < 2025.Q2.42025-08-21
CVE-2025-43747 [MEDIUM] CWE-918 CVE-2025-43747: A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025. A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and
nvd
CVE-2025-43754MEDIUMCVSS 6.9≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.13+3 more2025-08-21
CVE-2025-43754 [MEDIUM] CWE-208 CVE-2025-43754: Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time
nvd
CVE-2025-43755MEDIUMCVSS 5.1≥ 2024.Q1.1, < 2024.Q1.18≥ 2024.q2.0, ≤ 2024.q2.13+5 more2025-08-21
CVE-2025-43755 [MEDIUM] CWE-79 CVE-2025-43755: A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Lif A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaS
nvd
CVE-2025-43756MEDIUMCVSS 6.9≥ 2024.q1.1, < 2024.q1.20≥ 2025.Q1.0, < 2025.Q1.16+1 more2025-08-21
CVE-2025-43756 [MEDIUM] CWE-79 CVE-2025-43756: <!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scrip A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.
nvd
CVE-2025-43753LOWCVSS 2.1≥ 2024.Q1.1, < 2024.Q1.17≥ 2024.Q2.1, ≤ 2024.Q2.13+4 more2025-08-21
CVE-2025-43753 [LOW] CWE-79 CVE-2025-43753: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.13 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScr
nvd
CVE-2025-43748HIGHCVSS 7.1≥ 7.0, ≤ 7.4≥ 2023.Q3.1, ≤ 2023.Q3.9+2 more2025-08-20
CVE-2025-43748 [HIGH] CWE-352 CVE-2025-43748: Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery
nvd
CVE-2025-43746MEDIUMCVSS 5.1≥ 2024.Q1.1, < 2024.Q1.19≥ 2024.q2.0, ≤ 2024.q2.13+5 more2025-08-20
CVE-2025-43746 [MEDIUM] CWE-79 CVE-2025-43746: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
nvd
CVE-2025-43750MEDIUMCVSS 5.1≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.12+4 more2025-08-20
CVE-2025-43750 [MEDIUM] CWE-434 CVE-2025-43750: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, e
nvd
CVE-2025-43742MEDIUMCVSS 6.9≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-20
CVE-2025-43742 [MEDIUM] CWE-79 CVE-2025-43742: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScr
nvd
CVE-2025-43741MEDIUMCVSS 5.1≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-20
CVE-2025-43741 [MEDIUM] CWE-79 CVE-2025-43741: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip i
nvd
CVE-2025-43749MEDIUMCVSS 5.3≥ 2024.Q1.1, < 2024.Q1.15≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-20
CVE-2025-43749 [MEDIUM] CWE-552 CVE-2025-43749: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library
nvd
CVE-2025-43757MEDIUMCVSS 4.8≥ 2024.Q1.1, < 2024.Q1.19≥ 2024.Q2.1, ≤ 2024.Q2.13+5 more2025-08-20
CVE-2025-43757 [MEDIUM] CWE-79 CVE-2025-43757: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
nvd
CVE-2025-43738MEDIUMCVSS 5.1≥ 2024.q1.1, < 2024.q1.20≥ 2024.Q2.1, ≤ 2024.Q2.13+4 more2025-08-19
CVE-2025-43738 [MEDIUM] CWE-79 CVE-2025-43738: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript c
nvd
CVE-2025-43743MEDIUMCVSS 5.3≥ 2024.Q1.1, < 2024.Q1.16≥ 2024.q2.0, ≤ 2024.q2.13+4 more2025-08-19
CVE-2025-43743 [MEDIUM] CWE-203 CVE-2025-43743: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, gi
nvd
CVE-2025-43740MEDIUMCVSS 4.6≥ 2024.Q1.9, < 2024.Q1.20≥ 2024.Q2.1, ≤ 2024.Q2.13+4 more2025-08-19
CVE-2025-43740 [MEDIUM] CWE-79 CVE-2025-43740: A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and L A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript
nvd
← Previous6 / 14Next →