Maven package

com.liferay.portal/release.dxp.bom

pkg:maven/com.liferay.portal/release.dxp.bom

Vulnerabilities (125)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-42498		—	>= 2023.Q3, < 2023.Q3.5	2023.Q3.5	Feb 21, 2024	Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_life
CVE-2024-26269		—	>= 7.4.13.u1, < 7.4.13.u38	7.4.13.u38	Feb 21, 2024	Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary
CVE-2024-26266		—	>= 7.4.13.u1, < 7.4.13.u10	7.4.13.u10	Feb 21, 2024	Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users
CVE-2023-42496		—	>= 7.4.10.ep1, <= 7.4.13.u92	—	Feb 21, 2024	Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HT
CVE-2024-25603		—	>= 7.4.13.u1, <= 7.4.13.u102	—	Feb 21, 2024	Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote
CVE-2024-25152		—	>= 7.3.0, < 7.3.10.u4	7.3.10.u4	Feb 21, 2024	Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to in
CVE-2024-25601		—	>= 7.3.0, < 7.3.10.u4	7.3.10.u4	Feb 21, 2024	Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote aut
CVE-2024-25602		—	>= 7.3.0, < 7.3.10.u4	7.3.10.u4	Feb 21, 2024	Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authentica
CVE-2024-25147		—	>= 7.3.0, < 7.3.10.u4	7.3.10.u4	Feb 21, 2024	Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary w
CVE-2021-29050	Hig	8.8	>= 7.2.0, < 7.2.10.fp11	7.2.10.fp11	Feb 20, 2024	Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to vis
CVE-2024-26270		—	>= 2023.Q3, < 2023.Q3.5	2023.Q3.5	Feb 20, 2024	The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
CVE-2024-26268		—	< 7.2.10.fp20	7.2.10.fp20	Feb 20, 2024	User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in t
CVE-2024-26267		—	< 7.2.10.fp19	7.2.10.fp19	Feb 20, 2024	In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, w
CVE-2024-25610		—	>= 7.4.0, < 7.4.13.u9	7.4.13.u9	Feb 20, 2024	In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote
CVE-2024-25609		—	>= 7.2.10.fp15, <= 7.2.10.fp18	—	Feb 20, 2024	HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows rem
CVE-2024-25608		—	< 7.2.10.fp19	7.2.10.fp19	Feb 20, 2024	HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), w
CVE-2024-25607		—	>= 7.3.0, < 7.3.10.u4	7.3.10.u4	Feb 20, 2024	The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, whi
CVE-2024-25606		—	>= 7.3.0, < 7.3.10.u12	7.3.10.u12	Feb 20, 2024	XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to o
CVE-2024-25605		—	< 7.2.10.fp17	7.2.10.fp17	Feb 20, 2024	The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allo
CVE-2024-25604		—	—	—	Feb 20, 2024	Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user per

CVE-2023-42498Feb 21, 2024
affected >= 2023.Q3, < 2023.Q3.5fixed 2023.Q3.5
Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_life
CVE-2024-26269Feb 21, 2024
affected >= 7.4.13.u1, < 7.4.13.u38fixed 7.4.13.u38
Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary
CVE-2024-26266Feb 21, 2024
affected >= 7.4.13.u1, < 7.4.13.u10fixed 7.4.13.u10
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users
CVE-2023-42496Feb 21, 2024
affected >= 7.4.10.ep1, <= 7.4.13.u92
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HT
CVE-2024-25603Feb 21, 2024
affected >= 7.4.13.u1, <= 7.4.13.u102
Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote
CVE-2024-25152Feb 21, 2024
affected >= 7.3.0, < 7.3.10.u4fixed 7.3.10.u4
Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to in
CVE-2024-25601Feb 21, 2024
affected >= 7.3.0, < 7.3.10.u4fixed 7.3.10.u4
Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote aut
CVE-2024-25602Feb 21, 2024
affected >= 7.3.0, < 7.3.10.u4fixed 7.3.10.u4
Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authentica
CVE-2024-25147Feb 21, 2024
affected >= 7.3.0, < 7.3.10.u4fixed 7.3.10.u4
Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary w
CVE-2021-29050HigFeb 20, 2024
affected >= 7.2.0, < 7.2.10.fp11fixed 7.2.10.fp11
Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to vis
CVE-2024-26270Feb 20, 2024
affected >= 2023.Q3, < 2023.Q3.5fixed 2023.Q3.5
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
CVE-2024-26268Feb 20, 2024
affected < 7.2.10.fp20fixed 7.2.10.fp20
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in t
CVE-2024-26267Feb 20, 2024
affected < 7.2.10.fp19fixed 7.2.10.fp19
In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, w
CVE-2024-25610Feb 20, 2024
affected >= 7.4.0, < 7.4.13.u9fixed 7.4.13.u9
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote
CVE-2024-25609Feb 20, 2024
affected >= 7.2.10.fp15, <= 7.2.10.fp18
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows rem
CVE-2024-25608Feb 20, 2024
affected < 7.2.10.fp19fixed 7.2.10.fp19
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), w
CVE-2024-25607Feb 20, 2024
affected >= 7.3.0, < 7.3.10.u4fixed 7.3.10.u4
The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, whi
CVE-2024-25606Feb 20, 2024
affected >= 7.3.0, < 7.3.10.u12fixed 7.3.10.u12
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to o
CVE-2024-25605Feb 20, 2024
affected < 7.2.10.fp17fixed 7.2.10.fp17
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allo
CVE-2024-25604Feb 20, 2024
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user per

Page 2 of 7