Liferay Dxp vulnerabilities

242 known vulnerabilities affecting liferay/dxp.

Total CVEs
242
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH26MEDIUM204LOW10

Vulnerabilities

Page 6 of 13
CVE-2025-43759MEDIUMCVSS 6.7≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-22
CVE-2025-43759 [MEDIUM] CWE-732 CVE-2025-43759: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024 Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a lis
cvelistv5nvd
CVE-2025-43762MEDIUMCVSS 5.3≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-22
CVE-2025-43762 [MEDIUM] CWE-770 CVE-2025-43762: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allo
cvelistv5nvd
CVE-2025-43761MEDIUMCVSS 6.9≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.12+3 more2025-08-22
CVE-2025-43761 [MEDIUM] CWE-79 CVE-2025-43761: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-
cvelistv5nvd
CVE-2025-43758MEDIUMCVSS 5.3≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.15+4 more2025-08-22
CVE-2025-43758 [MEDIUM] CWE-552 CVE-2025-43758: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library
cvelistv5nvd
CVE-2025-43760MEDIUMCVSS 5.3≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.20+4 more2025-08-22
CVE-2025-43760 [MEDIUM] CWE-79 CVE-2025-43760: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript
cvelistv5nvd
CVE-2025-43751MEDIUMCVSS 6.9≥ 7.4.13, ≤ 7.4.13-u92≥ 2023.Q3.1, ≤ 2023.Q3.10+5 more2025-08-22
CVE-2025-43751 [MEDIUM] CWE-203 CVE-2025-43751: User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exis
cvelistv5nvd
CVE-2025-43756MEDIUMCVSS 6.9≥ 2024.Q1.13, ≤ 2024.Q1.19≥ 2025.Q1.0, ≤ 2025.Q1.15+1 more2025-08-21
CVE-2025-43756 [MEDIUM] CWE-79 CVE-2025-43756: <!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scrip A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.
cvelistv5nvd
CVE-2025-43747MEDIUMCVSS 4.8≥ 2025.Q2.0, ≤ 2025.Q2.32025-08-21
CVE-2025-43747 [MEDIUM] CWE-918 CVE-2025-43747: A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025. A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and
cvelistv5nvd
CVE-2025-43754MEDIUMCVSS 6.9≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+3 more2025-08-21
CVE-2025-43754 [MEDIUM] CWE-208 CVE-2025-43754: Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time
cvelistv5nvd
CVE-2025-43755MEDIUMCVSS 5.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.17+5 more2025-08-21
CVE-2025-43755 [MEDIUM] CWE-79 CVE-2025-43755: A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Lif A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaS
cvelistv5nvd
CVE-2025-43753LOWCVSS 2.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.16+4 more2025-08-21
CVE-2025-43753 [LOW] CWE-79 CVE-2025-43753: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.13 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScr
cvelistv5nvd
CVE-2025-43748HIGHCVSS 7.1≥ 6.2.0, ≤ portal-173≥ 7.0.10, ≤ de-102+7 more2025-08-20
CVE-2025-43748 [HIGH] CWE-352 CVE-2025-43748: Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery
cvelistv5nvd
CVE-2025-43741MEDIUMCVSS 5.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-20
CVE-2025-43741 [MEDIUM] CWE-79 CVE-2025-43741: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip i
cvelistv5nvd
CVE-2025-43746MEDIUMCVSS 5.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.18+5 more2025-08-20
CVE-2025-43746 [MEDIUM] CWE-79 CVE-2025-43746: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
cvelistv5nvd
CVE-2025-43742MEDIUMCVSS 6.9≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-20
CVE-2025-43742 [MEDIUM] CWE-79 CVE-2025-43742: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScr
cvelistv5nvd
CVE-2025-43750MEDIUMCVSS 5.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-20
CVE-2025-43750 [MEDIUM] CWE-434 CVE-2025-43750: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, e
cvelistv5nvd
CVE-2025-43757MEDIUMCVSS 4.8≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.18+5 more2025-08-20
CVE-2025-43757 [MEDIUM] CWE-79 CVE-2025-43757: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
cvelistv5nvd
CVE-2025-43749MEDIUMCVSS 5.3≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.14+4 more2025-08-20
CVE-2025-43749 [MEDIUM] CWE-552 CVE-2025-43749: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library
cvelistv5nvd
CVE-2025-43738MEDIUMCVSS 5.1≥ 2024.Q1.1, ≤ 2024.Q1.19≥ 2024.Q2.1, ≤ 2024.Q2.13+4 more2025-08-19
CVE-2025-43738 [MEDIUM] CWE-79 CVE-2025-43738: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript c
cvelistv5nvd
CVE-2025-43745MEDIUMCVSS 6.9≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.19+5 more2025-08-19
CVE-2025-43745 [MEDIUM] CWE-352 CVE-2025-43745: A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 20 A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behal
cvelistv5nvd
← Previous6 / 13Next →