VYPR

DXP

by Liferay

Source repositories

CVEs (206)

  • CVE-2025-3760MedApr 17, 2025
    risk 0.35cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12,…

  • CVE-2024-25151MedFeb 21, 2024
    risk 0.35cvss 5.4epss 0.00

    The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which…

  • CVE-2024-25604MedFeb 20, 2024
    risk 0.35cvss 6.5epss 0.00

    Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user…

  • CVE-2024-25148MedFeb 8, 2024
    risk 0.35cvss 5.4epss 0.01

    In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while…

  • CVE-2023-47798MedFeb 8, 2024
    risk 0.35cvss 5.4epss 0.00

    Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an…

  • CVE-2024-25143MedFeb 7, 2024
    risk 0.35cvss 6.5epss 0.01

    The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which…

  • CVE-2023-33949MedMay 24, 2023
    risk 0.35cvss 5.3epss 0.01

    In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The…

  • CVE-2023-33948MedMay 24, 2023
    risk 0.35cvss 5.3epss 0.01

    The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

  • CVE-2023-33943MedMay 24, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2)…

  • CVE-2023-33942MedMay 24, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content…

  • CVE-2023-33939MedMay 24, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or…

  • CVE-2023-33937MedMay 24, 2023
    risk 0.35cvss 5.4epss 0.00

    Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected…

  • CVE-2024-25146MedFeb 8, 2024
    risk 0.34cvss 5.3epss 0.01

    Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have…

  • CVE-2025-4388MedMay 6, 2025
    risk 0.33cvss 6.1epss 0.03

    A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote…

  • CVE-2024-26265MedFeb 20, 2024
    risk 0.33cvss 5.0epss 0.01

    The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can…

  • CVE-2024-25609MedFeb 20, 2024
    risk 0.33cvss 6.1epss 0.00

    HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows…

  • CVE-2024-25608MedFeb 20, 2024
    risk 0.33cvss 6.1epss 0.01

    HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD),…

  • CVE-2023-5190MedFeb 20, 2024
    risk 0.33cvss 6.1epss 0.00

    Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the…

  • CVE-2023-37940MedDec 17, 2024
    risk 0.31cvss 4.8epss 0.00

    Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or…

  • CVE-2023-33944MedMay 24, 2023
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type…

Page 3 of 11

VYPR — Vulnerability Intelligence