Liferay Portal vulnerabilities

209 known vulnerabilities affecting liferay/portal.

Total CVEs
209
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
HIGH22MEDIUM177LOW10

Vulnerabilities

Page 6 of 11
CVE-2025-43761MEDIUMCVSS 6.9≥ 7.4.0, ≤ 7.4.3.1312025-08-22
CVE-2025-43761 [MEDIUM] CWE-79 CVE-2025-43761: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-
cvelistv5nvd
CVE-2025-43758MEDIUMCVSS 5.3≥ 7.4.0, ≤ 7.4.3.1322025-08-22
CVE-2025-43758 [MEDIUM] CWE-552 CVE-2025-43758: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library
cvelistv5nvd
CVE-2025-43760MEDIUMCVSS 5.3≥ 7.4.0, ≤ 7.4.3.1322025-08-22
CVE-2025-43760 [MEDIUM] CWE-79 CVE-2025-43760: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript
cvelistv5nvd
CVE-2025-43751MEDIUMCVSS 6.9≥ 7.4.0, ≤ 7.4.3.1322025-08-22
CVE-2025-43751 [MEDIUM] CWE-203 CVE-2025-43751: User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exis
cvelistv5nvd
CVE-2025-43756MEDIUMCVSS 6.9v7.4.3.1322025-08-21
CVE-2025-43756 [MEDIUM] CWE-79 CVE-2025-43756: <!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scrip A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.
cvelistv5nvd
CVE-2025-43754MEDIUMCVSS 6.9≥ 7.4.0, ≤ 7.4.3.1322025-08-21
CVE-2025-43754 [MEDIUM] CWE-208 CVE-2025-43754: Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time
cvelistv5nvd
CVE-2025-43755MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-21
CVE-2025-43755 [MEDIUM] CWE-79 CVE-2025-43755: A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Lif A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaS
cvelistv5nvd
CVE-2025-43753LOWCVSS 2.1≥ 7.4.3.32, ≤ 7.4.3.1322025-08-21
CVE-2025-43753 [LOW] CWE-79 CVE-2025-43753: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.13 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScr
cvelistv5nvd
CVE-2025-43748HIGHCVSS 7.1≥ 7.0.0, ≤ 7.4.3.1192025-08-20
CVE-2025-43748 [HIGH] CWE-352 CVE-2025-43748: Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery
cvelistv5nvd
CVE-2025-43741MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43741 [MEDIUM] CWE-79 CVE-2025-43741: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip i
cvelistv5nvd
CVE-2025-43746MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43746 [MEDIUM] CWE-79 CVE-2025-43746: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
cvelistv5nvd
CVE-2025-43742MEDIUMCVSS 6.9≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43742 [MEDIUM] CWE-79 CVE-2025-43742: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScr
cvelistv5nvd
CVE-2025-43750MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43750 [MEDIUM] CWE-434 CVE-2025-43750: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, e
cvelistv5nvd
CVE-2025-43757MEDIUMCVSS 4.8≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43757 [MEDIUM] CWE-79 CVE-2025-43757: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated a
cvelistv5nvd
CVE-2025-43749MEDIUMCVSS 5.3≥ 7.4.0, ≤ 7.4.3.1322025-08-20
CVE-2025-43749 [MEDIUM] CWE-552 CVE-2025-43749: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library
cvelistv5nvd
CVE-2025-43738MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-19
CVE-2025-43738 [MEDIUM] CWE-79 CVE-2025-43738: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript c
cvelistv5nvd
CVE-2025-43745MEDIUMCVSS 6.9≥ 7.4.0, ≤ 7.4.3.1322025-08-19
CVE-2025-43745 [MEDIUM] CWE-352 CVE-2025-43745: A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 20 A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behal
cvelistv5nvd
CVE-2025-43744MEDIUMCVSS 5.1≥ 7.4.0, ≤ 7.4.3.1322025-08-19
CVE-2025-43744 [MEDIUM] CWE-79 CVE-2025-43744: A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.13 A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publish
cvelistv5nvd
CVE-2025-43743MEDIUMCVSS 5.3≥ 7.4.0, ≤ 7.4.3.1322025-08-19
CVE-2025-43743 [MEDIUM] CWE-203 CVE-2025-43743: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, gi
cvelistv5nvd
CVE-2025-43739MEDIUMCVSS 5.3≥ 7.4.0, ≤ 7.4.3.1322025-08-19
CVE-2025-43739 [MEDIUM] CWE-203 CVE-2025-43739: Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 throu Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to
cvelistv5nvd
← Previous6 / 11Next →