VYPR

Maven package

com.liferay.portal/com.liferay.portal.kernel

pkg:maven/com.liferay.portal/com.liferay.portal.kernel

Vulnerabilities (6)

  • CVE-2025-43792Sep 15, 2025
    affected < 130.0.1fixed 130.0.1

    Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the

  • CVE-2025-43793Sep 15, 2025
    affected < 130.0.1fixed 130.0.1

    Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a

  • CVE-2025-43770Aug 23, 2025
    affected < 155.0.0fixed 155.0.0

    A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote

  • CVE-2025-3526Jun 16, 2025
    affected < 38.0.0fixed 38.0.0

    SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory

  • CVE-2024-25607Feb 20, 2024
    affected < 38.0.0fixed 38.0.0

    The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, whi

  • CVE-2020-7961KEVMar 20, 2020
    affected < 4.35.3fixed 4.35.3

    Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).