Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-43734

Summary
Assigner-Liferay
Assigner Org ID-8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At-12 Aug, 2025 | 18:51
Updated At-12 Aug, 2025 | 20:37
Rejected At-
Credits

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Liferay
Assigner Org ID:8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At:12 Aug, 2025 | 18:51
Updated At:12 Aug, 2025 | 20:37
Rejected At:
▼CVE Numbering Authority (CNA)

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

Affected Products
Vendor
Liferay Inc.Liferay
Product
Portal
Default Status
unaffected
Versions
Affected
  • From 7.4.3.0 through 7.4.3.132 (maven)
Vendor
Liferay Inc.Liferay
Product
DXP
Default Status
unaffected
Versions
Affected
  • From 7.4.13 through 7.4.13-u92 (maven)
  • From 2024.Q1.1 through 2024.Q1.16 (maven)
  • From 2024Q2.0 through 2023.Q2.13 (maven)
  • From 2024.Q3.1 through 2024.Q3.13 (maven)
  • From 2024.Q4.0 through 2024.Q4.7 (maven)
  • From 2025.Q1.0 through 2025.Q1.10 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43734
N/A
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43734
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@liferay.com
Published At:12 Aug, 2025 | 19:15
Updated At:16 Dec, 2025 | 16:55

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Liferay Inc.
liferay
>>digital_experience_platform>>Versions from 2024.q1.1(inclusive) to 2024.q1.16(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>Versions from 2024.Q2.1(inclusive) to 2024.Q2.13(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>Versions from 2024.q3.1(inclusive) to 2024.q3.13(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>Versions from 2024.q4.0(inclusive) to 2024.q4.7(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>Versions from 2025.q1.0(inclusive) to 2025.q1.10(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>7.4
cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>liferay_portal>>Versions from 7.4.0(inclusive) to 7.4.3.132(inclusive)
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@liferay.com
CWE ID: CWE-79
Type: Secondary
Source: security@liferay.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43734security@liferay.com
Vendor Advisory
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43734
Source: security@liferay.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

10344Records found
CVE-2024-25603
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.15% / 35.45%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:09
Updated-28 Jan, 2025 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortalportaldigital_experience_platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25601
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.15% / 35.45%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 01:54
Updated-28 Jan, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25152
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.15% / 35.45%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:00
Updated-28 Jan, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortaldigital_experience_platformliferay_portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25151
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 62.33%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 03:17
Updated-28 Jan, 2025 | 02:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43775
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.03% / 8.06%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 18:12
Updated-16 Dec, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remote app title field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43753
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-2.1||LOW
EPSS-0.04% / 13.48%
||
7 Day CHG+0.01%
Published-21 Aug, 2025 | 22:23
Updated-15 Dec, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43744
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 12.53%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 19:34
Updated-15 Dec, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43823
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 9.32%
||
7 Day CHG~0.00%
Published-07 Oct, 2025 | 21:54
Updated-15 Dec, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43755
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 12.32%
||
7 Day CHG+0.01%
Published-21 Aug, 2025 | 16:40
Updated-12 Dec, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43811
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 8.87%
||
7 Day CHG~0.00%
Published-29 Sep, 2025 | 21:59
Updated-11 Dec, 2025 | 22:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 update 50 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into an asset author’s (1) First Name, (2) Middle Name, or (3) Last Name text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43822
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 9.32%
||
7 Day CHG~0.00%
Published-07 Oct, 2025 | 22:16
Updated-15 Dec, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43829
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 9.32%
||
7 Day CHG~0.00%
Published-08 Oct, 2025 | 13:55
Updated-15 Dec, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43787
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 9.78%
||
7 Day CHG~0.00%
Published-12 Sep, 2025 | 16:09
Updated-16 Dec, 2025 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43737
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 13.57%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 18:13
Updated-15 Dec, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43738
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 13.57%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 15:50
Updated-15 Dec, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformPortalDXP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-43746
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 12.32%
||
7 Day CHG+0.01%
Published-20 Aug, 2025 | 18:37
Updated-12 Dec, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3760
Matching Score-10
Assigner-Liferay, Inc.
ShareView Details
Matching Score-10
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.12% / 30.27%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 12:53
Updated-16 Dec, 2025 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25610
Matching Score-8
Assigner-Liferay, Inc.
ShareView Details
Matching Score-8
Assigner-Liferay, Inc.
CVSS Score-9||CRITICAL
EPSS-0.11% / 28.22%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 12:42
Updated-11 Dec, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortalportaldigital_experience_platform
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2025-2565
Matching Score-8
Assigner-Liferay, Inc.
ShareView Details
Matching Score-8
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.36% / 57.89%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 16:10
Updated-16 Dec, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2022-28982
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 60.74%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 23:57
Updated-27 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28980
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 47.94%
||
7 Day CHG~0.00%
Published-22 Sep, 2022 | 00:13
Updated-27 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28979
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.30% / 53.39%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 23:22
Updated-27 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1570
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-0.65% / 70.85%
||
7 Day CHG~0.00%
Published-07 May, 2011 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030.

Action-Not Available
Vendor-n/aMicrosoft CorporationLiferay Inc.
Product-liferay_portalwindows_7n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1504
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-0.34% / 56.33%
||
7 Day CHG~0.00%
Published-07 May, 2011 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA allows remote authenticated users to inject arbitrary web script or HTML via a blog title.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26597
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.65%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:02
Updated-03 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26594
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.04%
||
7 Day CHG~0.00%
Published-15 Apr, 2022 | 15:50
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-26596
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.65%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:41
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-digital_experience_platformliferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11993
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.18% / 38.53%
||
7 Day CHG+0.08%
Published-17 Dec, 2024 | 20:24
Updated-28 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-47797
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.15% / 34.58%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 06:03
Updated-29 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portalPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3742
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.69% / 71.86%
||
7 Day CHG~0.00%
Published-07 Jan, 2010 | 20:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44311
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.19% / 40.72%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 09:39
Updated-13 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-1294
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.56% / 85.64%
||
7 Day CHG~0.00%
Published-16 Apr, 2009 | 15:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home in the Liferay 4.3.0 portal in Novell Teaming 1.0 through SP3 (1.0.3) allow remote attackers to inject arbitrary web script or HTML via the (1) p_p_state or (2) p_p_mode parameters.

Action-Not Available
Vendor-n/aNovellLiferay Inc.
Product-teamingliferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42498
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.44% / 63.30%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:47
Updated-28 Jan, 2025 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42497
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.19% / 40.72%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 07:56
Updated-13 Sep, 2024 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42496
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.44% / 63.30%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 02:21
Updated-28 Jan, 2025 | 02:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0178
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-10.19% / 93.19%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Enterprise Admin Session Monitoring component in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the User-Agent HTTP header.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0179
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-2.6||LOW
EPSS-2.49% / 85.44%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0181
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-1.07% / 77.85%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0180
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.3||MEDIUM
EPSS-1.07% / 77.85%
||
7 Day CHG~0.00%
Published-04 Feb, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-6173
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-7.96% / 92.12%
||
7 Day CHG~0.00%
Published-30 Nov, 2007 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Enterprise Portal 4.3.1 allows remote attackers to inject arbitrary web script or HTML via the emailAddress parameter in a Send New Password action, a different vector than CVE-2007-6055. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_enterprise_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-6055
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-8.11% / 92.21%
||
7 Day CHG~0.00%
Published-20 Nov, 2007 | 20:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Portal 4.1.0 and 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the login parameter. NOTE: this issue reportedly exists because of a regression that followed a fix at an unspecified earlier date.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37940
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 38.53%
||
7 Day CHG+0.05%
Published-17 Dec, 2024 | 21:30
Updated-28 Jan, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

Action-Not Available
Vendor-Liferay Inc.
Product-liferay_portaldigital_experience_platformDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33337
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.17%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 13:15
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25476
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.45% / 63.76%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 16:04
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-17868
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.20%
||
7 Day CHG~0.00%
Published-23 Dec, 2017 | 23:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33938
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 32.15%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 13:20
Updated-09 Jan, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33944
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 32.15%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 15:07
Updated-30 Jan, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33941
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 14:36
Updated-13 Jan, 2026 | 02:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42110
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.93%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldxpdigital_experience_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3193
Matching Score-6
Assigner-Liferay, Inc.
ShareView Details
Matching Score-6
Assigner-Liferay, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 45.03%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 03:47
Updated-09 Jan, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 206
  • 207
  • Next
Details not found