Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-25152

Summary
Assigner-Liferay
Assigner Org ID-8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At-21 Feb, 2024 | 02:00
Updated At-26 Aug, 2024 | 16:52
Rejected At-
Credits

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Liferay
Assigner Org ID:8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At:21 Feb, 2024 | 02:00
Updated At:26 Aug, 2024 | 16:52
Rejected At:
▼CVE Numbering Authority (CNA)

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

Affected Products
Vendor
Liferay Inc.Liferay
Product
Portal
Default Status
unknown
Versions
Affected
  • From 7.2.0 through 7.4.2 (maven)
Vendor
Liferay Inc.Liferay
Product
DXP
Default Status
unknown
Versions
Affected
  • From 7.3.10 through 7.3.10-dxp-2 (maven)
  • From 7.2.10 through 7.2.10-dxp-16 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
vendor-advisory
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
vendor-advisory
x_transferred
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
Resource:
vendor-advisory
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
Liferay Inc.liferay
Product
liferay_portal
CPEs
  • cpe:2.3:a:liferay:liferay_portal:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 7.2.0 before 7.4.2 (maven)
Vendor
Liferay Inc.liferay
Product
digital_experience_platform
CPEs
  • cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 7.3.10 through 7.3.10-dxp- (maven)
  • From 7.2.10 through 7.2.10-dxp-16 (maven)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@liferay.com
Published At:21 Feb, 2024 | 02:15
Updated At:28 Jan, 2025 | 21:26

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches

Liferay Inc.
liferay
>>liferay_portal>>Versions before 7.4.3.4(exclusive)
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>Versions before 7.2(exclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.3
cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.3
cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.3
cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.3
cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@liferay.com
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: security@liferay.com
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152security@liferay.com
Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
Source: security@liferay.com
Resource:
Vendor Advisory
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9064Records found

CVE-2008-0178
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-2.59% / 85.00%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Enterprise Admin Session Monitoring component in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the User-Agent HTTP header.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11993
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.06% / 18.84%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 20:24
Updated-28 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10404
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 47.81%
||
7 Day CHG~0.00%
Published-07 Aug, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43770
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 13.87%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 01:03
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00 in those parameters.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43755
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.18% / 40.22%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 16:40
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0179
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-2.6||LOW
EPSS-0.79% / 72.93%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-17 Sep, 2024 | 03:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0181
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 67.96%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-16 Sep, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0180
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 67.96%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-16 Sep, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2004-2030
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.62% / 81.10%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the message subject.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-38263
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 66.30%
||
7 Day CHG~0.00%
Published-02 Mar, 2022 | 23:10
Updated-04 Aug, 2024 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-6173
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-7.50% / 91.41%
||
7 Day CHG~0.00%
Published-30 Nov, 2007 | 00:00
Updated-07 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Enterprise Portal 4.3.1 allows remote attackers to inject arbitrary web script or HTML via the emailAddress parameter in a Send New Password action, a different vector than CVE-2007-6055. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-6055
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-7.64% / 91.51%
||
7 Day CHG~0.00%
Published-20 Nov, 2007 | 20:00
Updated-07 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Portal 4.1.0 and 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the login parameter. NOTE: this issue reportedly exists because of a regression that followed a fix at an unspecified earlier date.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-35463
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 47.96%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 13:21
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33326
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 60.95%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 18:37
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29039
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-16 May, 2021 | 14:58
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29048
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 11:08
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29044
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 10:55
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29051
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 46.06%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 11:01
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-8349
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.25% / 48.40%
||
7 Day CHG~0.00%
Published-24 Nov, 2014 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29046
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-17 May, 2021 | 10:27
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33339
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 38.88%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 12:48
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-47797
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.15% / 35.66%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 06:03
Updated-29 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portalPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2963
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 66.87%
||
7 Day CHG~0.00%
Published-10 Jul, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44311
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.15% / 35.66%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 09:39
Updated-13 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42496
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.38% / 58.40%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:21
Updated-28 Jan, 2025 | 02:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42497
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.15% / 36.25%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 07:56
Updated-13 Sep, 2024 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42498
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.38% / 58.40%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:47
Updated-28 Jan, 2025 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26596
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.71%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:41
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43756
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 44.24%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 16:19
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

<!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43753
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-2.1||LOW
EPSS-0.20% / 42.10%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 22:23
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42118
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-42.41% / 97.36%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43738
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.23% / 45.60%
||
7 Day CHG+0.02%
Published-19 Aug, 2025 | 15:50
Updated-20 Aug, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4599
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-2||LOW
EPSS-0.06% / 17.57%
||
7 Day CHG~0.00%
Published-04 Aug, 2025 | 21:18
Updated-05 Aug, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43765
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 13.87%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:32
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4576
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.45%
||
7 Day CHG~0.00%
Published-08 Aug, 2025 | 15:42
Updated-08 Aug, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43769
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.19% / 40.92%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 02:49
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote attackers to execute arbitrary web script or HTML via components tab.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43746
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.18% / 40.22%
||
7 Day CHG+0.04%
Published-20 Aug, 2025 | 18:37
Updated-22 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43761
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.45%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 20:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-ckeditor-web/ckeditor/samples/old/ajax.html path

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43740
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.18% / 40.22%
||
7 Day CHG+0.04%
Published-19 Aug, 2025 | 13:03
Updated-19 Aug, 2025 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43735
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.45%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 12:19
Updated-12 Aug, 2025 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43744
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.05% / 15.89%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 19:34
Updated-20 Aug, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43731
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 44.24%
||
7 Day CHG+0.05%
Published-18 Aug, 2025 | 18:20
Updated-18 Aug, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43741
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 38.44%
||
7 Day CHG+0.02%
Published-20 Aug, 2025 | 11:54
Updated-20 Aug, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip in the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43737
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 38.44%
||
7 Day CHG+0.02%
Published-19 Aug, 2025 | 18:13
Updated-20 Aug, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43734
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 44.24%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 18:51
Updated-13 Aug, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43757
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 40.22%
||
7 Day CHG+0.04%
Published-20 Aug, 2025 | 19:13
Updated-22 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43742
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.45%
||
7 Day CHG+0.01%
Published-20 Aug, 2025 | 11:35
Updated-20 Aug, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript in web content for friendly urls.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43760
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 47.94%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 17:34
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4388
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-5.52% / 89.88%
||
7 Day CHG-0.42%
Published-06 May, 2025 | 18:01
Updated-07 May, 2025 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4604
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 15.89%
||
7 Day CHG~0.00%
Published-04 Aug, 2025 | 22:08
Updated-05 Aug, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 181
  • 182
  • Next
Details not found