Liferay Dxp vulnerabilities
242 known vulnerabilities affecting liferay/dxp.
Total CVEs
242
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH26MEDIUM204LOW10
Vulnerabilities
Page 8 of 13
CVE-2025-4388MEDIUMCVSS 6.9PoC≥ 7.4.13, ≤ 7.4.13-u92≥ 2024.Q1.1, ≤ 2024.Q1.12+3 more2025-05-06
CVE-2025-4388 [MEDIUM] CWE-79 CVE-2025-4388: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131,
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketpl
cvelistv5nvd
CVE-2025-3760MEDIUMCVSS 4.8≥ 7.2.10, ≤ dxp-20≥ 7.3.10, ≤ 7.3.10-u36+7 more2025-04-17
CVE-2025-3760 [MEDIUM] CWE-79 CVE-2025-3760: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Lif
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 9
cvelistv5nvd
CVE-2025-2565MEDIUMCVSS 5.1≥ 7.4.13, ≤ 7.4.13-u92≥ 2023.Q3.1, ≤ 2023.Q3.10+4 more2025-03-20
CVE-2025-2565 [MEDIUM] CWE-201 CVE-2025-2565: The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0
The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms.
cvelistv5nvd
CVE-2025-2536MEDIUMCVSS 5.1≥ 7.4.13-u82, ≤ 7.4.13-u92≥ 2023.Q3.1, ≤ 2023.Q3.10+4 more2025-03-19
CVE-2025-2536 [MEDIUM] CWE-79 CVE-2025-2536: Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay D
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers t
cvelistv5nvd
CVE-2023-37940MEDIUMCVSS 4.8≥ 7.0.10, ≤ de-102≥ 7.1.10, ≤ dxp-28+3 more2024-12-17
CVE-2023-37940 [MEDIUM] CWE-79 CVE-2023-37940: Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Servi
cvelistv5nvd
CVE-2024-11993MEDIUMCVSS 4.6≥ 7.4.13, ≤ 7.4.13-u382024-12-17
CVE-2024-11993 [MEDIUM] CWE-79 CVE-2024-11993: Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Lif
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
cvelistv5nvd
CVE-2024-26271HIGHCVSS 8.8≥ 7.3.10-u32, ≤ 7.3.10-u35≥ 7.4.13-u75, ≤ 7.4.13-u92+2 more2024-10-22
CVE-2024-26271 [HIGH] CWE-352 CVE-2024-26271: Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute a
cvelistv5nvd
CVE-2024-26272HIGHCVSS 8.8≥ 7.3.10, ≤ 7.3.10-u35≥ 7.4.13, ≤ 7.4.13-u92+2 more2024-10-22
CVE-2024-26272 [HIGH] CWE-352 CVE-2024-26272: Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 t
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code
cvelistv5nvd
CVE-2024-26273HIGHCVSS 8.8≥ 7.3.10-u29, ≤ 7.3.10-u35≥ 7.4.13, ≤ 7.4.13-u92+2 more2024-10-22
CVE-2024-26273 [HIGH] CWE-352 CVE-2024-26273: Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 t
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrar
cvelistv5nvd
CVE-2024-38002HIGHCVSS 8.8≥ 7.3.10, ≤ 7.3.10-u36≥ 7.4.13, ≤ 7.4.13-u92+2 more2024-10-22
CVE-2024-38002 [HIGH] CWE-862 CVE-2024-38002: The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execu
cvelistv5nvd
CVE-2024-8980MEDIUMCVSS 6.1≥ 6.2.0, ≤ portal-173≥ 7.0.10, ≤ de-102+5 more2024-10-22
CVE-2024-8980 [MEDIUM] CWE-352 CVE-2024-8980: The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attack
cvelistv5nvd
CVE-2024-25602MEDIUMCVSS 5.4≥ 7.3.10, ≤ 7.3.10-dxp-2≥ 7.2.10, ≤ 7.2.10-dxp-162024-02-21
CVE-2024-25602 [MEDIUM] CWE-79 CVE-2024-25602: Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Po
Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload i
cvelistv5nvd
CVE-2024-26266MEDIUMCVSS 5.4≥ 7.4.13, ≤ 7.4.13.u9≥ 7.3.10, ≤ 7.3.10-dxp-3+1 more2024-02-21
CVE-2024-26266 [MEDIUM] CWE-79 CVE-2024-26266: Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13,
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected in
cvelistv5nvd
CVE-2023-42498MEDIUMCVSS 6.1≥ 2023.q3.1, ≤ 2023.q3.4≥ 7.4.13.u4, ≤ 7.4.13.u922024-02-21
CVE-2023-42498 [MEDIUM] CWE-79 CVE-2023-42498: Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay P
Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key paramet
cvelistv5nvd
CVE-2023-47795MEDIUMCVSS 5.4≥ 2023.q3.1, ≤ 2023.q3.5≥ 7.4.13.u18, ≤ 7.4.13.u922024-02-21
CVE-2023-47795 [MEDIUM] CWE-79 CVE-2023-47795: Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7
Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.
cvelistv5nvd
CVE-2024-25601MEDIUMCVSS 5.4≥ 7.3.10, ≤ 7.3.10-dxp-2≥ 7.2.10, ≤ 7.2.10-dxp-162024-02-21
CVE-2024-25601 [MEDIUM] CWE-79 CVE-2024-25601: Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Lif
Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted pa
cvelistv5nvd
CVE-2023-42496MEDIUMCVSS 6.1≥ 2023.q3.1, ≤ 2023.q3.5≥ 7.4.13, ≤ 7.4.13.u92+1 more2024-02-21
CVE-2023-42496 [MEDIUM] CWE-79 CVE-2023-42496: Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Po
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2
cvelistv5nvd
CVE-2024-25151MEDIUMCVSS 5.4≥ 7.3.10, ≤ 7.3.10-dxp-2≥ 7.2.10, ≤ 7.2.10-dxp-142024-02-21
CVE-2024-25151 [MEDIUM] CWE-79 CVE-2024-25151: The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Lifer
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via t
cvelistv5nvd
CVE-2023-40191MEDIUMCVSS 6.1≥ 2023.q3.1, ≤ 2023.q3.5≥ 7.4.13.u44, ≤ 7.4.13.u922024-02-21
CVE-2023-40191 [MEDIUM] CWE-79 CVE-2023-40191: Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay
Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field
cvelistv5nvd
CVE-2024-25152MEDIUMCVSS 5.4≥ 7.3.10, ≤ 7.3.10-dxp-2≥ 7.2.10, ≤ 7.2.10-dxp-162024-02-21
CVE-2024-25152 [MEDIUM] CWE-79 CVE-2024-25152: Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 thro
Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.
cvelistv5nvd