VYPR

DXP

by Liferay

Source repositories

CVEs (206)

  • CVE-2024-26272HigOct 22, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1)…

  • CVE-2024-26271HigOct 22, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote…

  • CVE-2023-35030HigJun 15, 2023
    risk 0.57cvss 8.8epss 0.00

    Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the…

  • CVE-2023-44311CriOct 17, 2023
    risk 0.55cvss 9.6epss 0.00

    Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web…

  • CVE-2024-25607HigFeb 20, 2024
    risk 0.53cvss 8.1epss 0.00

    The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor,…

  • CVE-2024-25606HigFeb 20, 2024
    risk 0.52cvss 8.0epss 0.01

    XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to…

  • CVE-2023-44310CriOct 17, 2023
    risk 0.52cvss 9.0epss 0.00

    Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into…

  • CVE-2023-44309CriOct 17, 2023
    risk 0.52cvss 9.0epss 0.00

    Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML…

  • CVE-2023-42629CriOct 17, 2023
    risk 0.52cvss 9.0epss 0.02

    Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's…

  • CVE-2025-3526HigJun 16, 2025
    risk 0.42cvss 7.5epss 0.00

    SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system…

  • CVE-2025-3602HigJun 16, 2025
    risk 0.42cvss 7.5epss 0.00

    Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform…

  • CVE-2024-26270MedFeb 20, 2024
    risk 0.42cvss 6.5epss 0.00

    The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

  • CVE-2023-33950MedMay 24, 2023
    risk 0.42cvss 6.5epss 0.01

    Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via…

  • CVE-2023-33945MedMay 24, 2023
    risk 0.42cvss 6.4epss 0.01

    SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This…

  • CVE-2025-2536MedMar 19, 2025
    risk 0.40cvss 6.1epss 0.00

    Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the…

  • CVE-2024-11993MedDec 17, 2024
    risk 0.40cvss 6.1epss 0.00

    Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

  • CVE-2023-44308MedFeb 20, 2024
    risk 0.40cvss 6.1epss 0.00

    Open redirect vulnerability in adaptive media administration page in Liferay DXP 2023.Q3 before patch 6, and 7.4 GA through update 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_adaptive_media_web_portlet_AMPortlet_redirect parameter.

  • CVE-2023-3193MedJun 15, 2023
    risk 0.40cvss 6.1epss 0.00

    Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_Gr…

  • CVE-2023-35029MedJun 15, 2023
    risk 0.40cvss 6.1epss 0.00

    Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPage…

  • CVE-2023-33941MedMay 24, 2023
    risk 0.40cvss 6.1epss 0.00

    Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers to inject arbitrary web script or HTML…

Page 2 of 11