Maven package

com.liferay.portal/release.portal.bom

pkg:maven/com.liferay.portal/release.portal.bom

Vulnerabilities (159)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-62264	—	>= 7.4.3.8, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 31, 2025	Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web scr
CVE-2025-62265	—	>= 7.4.0-ga1, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 30, 2025	Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsuppo
CVE-2025-62266	—	>= 7.4.0-ga1, < 7.4.3.110	7.4.3.110	Oct 30, 2025	By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding att
CVE-2025-62257	—	>= 7.4.0-ga1, < 7.4.3.120	7.4.3.120	Oct 29, 2025	Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows r
CVE-2025-62258	—	>= 7.4.0-ga1, < 7.4.3.108	7.4.3.108	Oct 27, 2025	CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` par
CVE-2025-62259	—	>= 7.4.0-ga1, < 7.4.3.110	7.4.3.110	Oct 27, 2025	Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, wh
CVE-2025-62260	—	>= 7.4.0-ga1, < 7.4.3.100	7.4.3.100	Oct 27, 2025	Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perfor
CVE-2025-62261	—	>= 7.4.0-ga1, < 7.4.3.100	7.4.3.100	Oct 27, 2025	Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to
CVE-2025-43830	—	>= 7.3.2, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 8, 2025	Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web scr
CVE-2025-43822	—	>= 7.4.3.15, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 7, 2025	Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via
CVE-2025-43823	—	>= 7.4.0, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 7, 2025	Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via
CVE-2025-43824	—	>= 7.4.0-ga1, < 7.4.3.112-ga112	7.4.3.112-ga112	Oct 6, 2025	The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header,
CVE-2025-43826	—	>= 7.4.0-ga1, < 7.4.3.113-ga113	7.4.3.113-ga113	Sep 30, 2025	Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versi
CVE-2025-43817	—	>= 7.4.3.74-ga74, < 7.4.3.112-ga112	7.4.3.112-ga112	Sep 29, 2025	Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML
CVE-2025-43813	—	>= 7.4.0-ga1, < 7.4.3.108-ga108	7.4.3.108-ga108	Sep 29, 2025	Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35,
CVE-2025-43812	—	>= 7.4.3.4-ga4, < 7.4.3.112-ga112	7.4.3.112-ga112	Sep 29, 2025	Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or
CVE-2025-43820	—	>= 7.4.3.35-ga35, < 7.4.3.111-ga111	7.4.3.111-ga111	Sep 29, 2025	Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 thr
CVE-2025-43799	—	>= 7.4.0, < 7.4.3.112	7.4.3.112	Sep 15, 2025	Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their init
CVE-2025-43785	—	>= 7.4.3.45, < 7.4.3.129	7.4.3.129	Sep 10, 2025	Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the M
CVE-2025-43776	—	>= 7.4.0, <= 7.4.3.132	—	Sep 9, 2025	A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q

CVE-2025-62264Oct 31, 2025
affected >= 7.4.3.8, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web scr
CVE-2025-62265Oct 30, 2025
affected >= 7.4.0-ga1, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsuppo
CVE-2025-62266Oct 30, 2025
affected >= 7.4.0-ga1, < 7.4.3.110fixed 7.4.3.110
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding att
CVE-2025-62257Oct 29, 2025
affected >= 7.4.0-ga1, < 7.4.3.120fixed 7.4.3.120
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows r
CVE-2025-62258Oct 27, 2025
affected >= 7.4.0-ga1, < 7.4.3.108fixed 7.4.3.108
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` par
CVE-2025-62259Oct 27, 2025
affected >= 7.4.0-ga1, < 7.4.3.110fixed 7.4.3.110
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, wh
CVE-2025-62260Oct 27, 2025
affected >= 7.4.0-ga1, < 7.4.3.100fixed 7.4.3.100
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perfor
CVE-2025-62261Oct 27, 2025
affected >= 7.4.0-ga1, < 7.4.3.100fixed 7.4.3.100
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to
CVE-2025-43830Oct 8, 2025
affected >= 7.3.2, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web scr
CVE-2025-43822Oct 7, 2025
affected >= 7.4.3.15, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via
CVE-2025-43823Oct 7, 2025
affected >= 7.4.0, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via
CVE-2025-43824Oct 6, 2025
affected >= 7.4.0-ga1, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header,
CVE-2025-43826Sep 30, 2025
affected >= 7.4.0-ga1, < 7.4.3.113-ga113fixed 7.4.3.113-ga113
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versi
CVE-2025-43817Sep 29, 2025
affected >= 7.4.3.74-ga74, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML
CVE-2025-43813Sep 29, 2025
affected >= 7.4.0-ga1, < 7.4.3.108-ga108fixed 7.4.3.108-ga108
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35,
CVE-2025-43812Sep 29, 2025
affected >= 7.4.3.4-ga4, < 7.4.3.112-ga112fixed 7.4.3.112-ga112
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or
CVE-2025-43820Sep 29, 2025
affected >= 7.4.3.35-ga35, < 7.4.3.111-ga111fixed 7.4.3.111-ga111
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 thr
CVE-2025-43799Sep 15, 2025
affected >= 7.4.0, < 7.4.3.112fixed 7.4.3.112
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their init
CVE-2025-43785Sep 10, 2025
affected >= 7.4.3.45, < 7.4.3.129fixed 7.4.3.129
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the M
CVE-2025-43776Sep 9, 2025
affected >= 7.4.0, <= 7.4.3.132
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q

Page 1 of 8