Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-42112

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-18 Oct, 2022 | 00:00
Updated At-04 Jul, 2026 | 23:31
Rejected At-
Credits

A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:18 Oct, 2022 | 00:00
Updated At:04 Jul, 2026 | 23:31
Rejected At:
▼CVE Numbering Authority (CNA)

A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
N/A
Hyperlink: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://liferay.com
x_transferred
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
x_transferred
Hyperlink: http://liferay.com
Resource:
x_transferred
Hyperlink: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:18 Oct, 2022 | 21:15
Updated At:05 Jul, 2026 | 00:17

A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
N/A
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Liferay Inc.
liferay
>>digital_experience_platform>>Versions before 7.2(exclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:sp3:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.3
cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:ga1:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*
Liferay Inc.
liferay
>>dxp>>7.4
cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE-79Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112cve@mitre.org
Patch
Vendor Advisory
http://liferay.comaf854a3a-2127-422b-91ae-364da2661108
Product
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112af854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
Hyperlink: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://liferay.com
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

10531Records found

CVE-2025-43731
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.20% / 9.91%
||
7 Day CHG~0.00%
Published-18 Aug, 2025 | 18:20
Updated-19 Dec, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62246
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 10.03%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 20:21
Updated-12 Dec, 2025 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3760
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 11.84%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 12:53
Updated-16 Dec, 2025 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33943
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 35.79%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 14:57
Updated-30 Jan, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33942
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.53% / 41.07%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 14:49
Updated-13 Jan, 2026 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33939
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.47%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 13:41
Updated-30 Jan, 2026 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33937
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 35.79%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 12:16
Updated-09 Jan, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-7934
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-4.46% / 90.27%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 13:03
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25601
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.56% / 42.40%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 01:54
Updated-28 Jan, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25152
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.56% / 42.41%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:00
Updated-28 Jan, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortaldigital_experience_platformliferay_portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62239
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.20% / 10.38%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 12:21
Updated-12 Dec, 2025 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62240
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 10.03%
||
7 Day CHG-0.00%
Published-09 Oct, 2025 | 21:08
Updated-12 Dec, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62238
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 10.03%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 12:33
Updated-12 Dec, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's “Name“ text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-38267
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.58% / 43.44%
||
7 Day CHG+0.01%
Published-02 Mar, 2022 | 23:15
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-38265
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.58% / 43.44%
||
7 Day CHG+0.01%
Published-02 Mar, 2022 | 23:03
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-38269
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.58% / 43.44%
||
7 Day CHG+0.01%
Published-02 Mar, 2022 | 23:25
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33336
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.68% / 47.83%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 12:53
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25610
Matching Score-8
Assigner-Liferay, Inc.
ShareView Details
Matching Score-8
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.52% / 40.20%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 12:42
Updated-11 Dec, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortalportaldigital_experience_platform
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2017-1000425
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.01% / 58.86%
||
7 Day CHG~0.00%
Published-02 Jan, 2018 | 23:00
Updated-05 Aug, 2024 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25476
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.94% / 56.63%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 16:04
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42110
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.56% / 42.68%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42118
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.15% / 63.04%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-04 Jul, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42116
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.21%
||
7 Day CHG~0.00%
Published-18 Oct, 2022 | 00:00
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-3670
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.29% / 81.13%
||
7 Day CHG~0.00%
Published-13 Jun, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42117
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.21%
||
7 Day CHG~0.00%
Published-18 Oct, 2022 | 00:00
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42113
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.21%
||
7 Day CHG~0.00%
Published-18 Oct, 2022 | 00:00
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-26269
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:39
Updated-22 Apr, 2025 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortalportaldxp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25147
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 01:16
Updated-22 Apr, 2025 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortalportaldxp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11993
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.32% / 23.79%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 20:24
Updated-28 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2004-2030
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.08% / 79.23%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the message subject.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6588
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.7||MEDIUM
EPSS-2.28% / 81.05%
||
7 Day CHG~0.00%
Published-03 Jun, 2019 | 19:43
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44311
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.46% / 36.71%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 09:39
Updated-13 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2536
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.27% / 18.72%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 19:00
Updated-16 Dec, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42496
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.61% / 44.94%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:21
Updated-28 Jan, 2025 | 02:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42498
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.61% / 44.95%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:47
Updated-28 Jan, 2025 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42497
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.46% / 36.71%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 07:56
Updated-13 Sep, 2024 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40191
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.62% / 45.37%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 03:06
Updated-28 Jan, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16147
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.78% / 51.64%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 20:45
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37940
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.27% / 17.90%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 21:30
Updated-28 Jan, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1504
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-0.99% / 58.30%
||
7 Day CHG~0.00%
Published-07 May, 2011 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA allows remote authenticated users to inject arbitrary web script or HTML via a blog title.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28982
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 28.65%
||
7 Day CHG+0.01%
Published-21 Sep, 2022 | 23:57
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26597
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.67% / 47.68%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:02
Updated-03 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26594
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.83%
||
7 Day CHG+0.02%
Published-15 Apr, 2022 | 15:50
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3742
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-1.07% / 60.81%
||
7 Day CHG~0.00%
Published-07 Jan, 2010 | 20:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28980
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 28.65%
||
7 Day CHG+0.01%
Published-22 Sep, 2022 | 00:13
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28979
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.29%
||
7 Day CHG+0.01%
Published-21 Sep, 2022 | 23:22
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26596
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.67% / 47.68%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:41
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62249
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 12.95%
||
7 Day CHG-0.00%
Published-21 Oct, 2025 | 18:12
Updated-12 Dec, 2025 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33941
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.80%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 14:36
Updated-13 Jan, 2026 | 02:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33944
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.53% / 41.07%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 15:07
Updated-30 Jan, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 210
  • 211
  • Next
Details not found