VYPR
Vendor

Liferay

Products
8
CVEs
285
Across products
508
Status
Private

Products

8

Recent CVEs

285
View all 285 CVEs →
  • CVE-2016-6517CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.02

    Directory traversal vulnerability in Liferay 5.1.0 allows remote attackers to have unspecified impact via a %2E%2E (encoded dot dot) in the minifierBundleDir parameter to barebone.jsp.

  • CVE-2018-10795HigMay 7, 2018
    risk 0.57cvss 8.8epss 0.02

    Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemana…

  • CVE-2021-29050HigFeb 20, 2024
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to…

  • CVE-2010-5327HigJan 13, 2017
    risk 0.50cvss 8.8epss 0.03

    Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.

  • CVE-2017-17868MedDec 27, 2017
    risk 0.40cvss 6.1epss 0.01

    In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.

  • CVE-2017-12649MedAug 7, 2017
    risk 0.40cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.

  • CVE-2025-43772HigSep 4, 2025
    risk 0.39cvss epss 0.00

    Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading…

  • CVE-2016-3670MedJun 13, 2016
    risk 0.36cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.

  • CVE-2025-4655MedAug 9, 2025
    risk 0.33cvss 5.0epss 0.00

    SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92…

  • CVE-2017-12648MedAug 7, 2017
    risk 0.33cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.

  • CVE-2017-12647MedAug 7, 2017
    risk 0.33cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.

  • CVE-2017-12646MedAug 7, 2017
    risk 0.33cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.

  • CVE-2017-12645MedAug 7, 2017
    risk 0.33cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.

  • CVE-2016-10404MedAug 7, 2017
    risk 0.33cvss 6.1epss 0.01

    XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.

  • CVE-2021-33990Apr 16, 2023
    risk 0.08cvss epss 0.12

    Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can…

  • CVE-2025-3639LowAug 18, 2025
    risk 0.06cvss epss 0.00

    Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated…

  • CVE-2019-11444Apr 22, 2019
    risk 0.06cvss epss 0.13

    An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to…

  • CVE-2009-1294Apr 16, 2009
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home in the Liferay 4.3.0 portal in Novell Teaming 1.0 through SP3 (1.0.3) allow remote attackers to inject arbitrary web script or HTML via the (1) p_p_state or (2) p_p_mode parameters.

  • CVE-2008-0178Feb 5, 2008
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Enterprise Admin Session Monitoring component in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the User-Agent HTTP header.

  • CVE-2007-6173Nov 30, 2007
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay Enterprise Portal 4.3.1 allows remote attackers to inject arbitrary web script or HTML via the emailAddress parameter in a Send New Password action, a different vector than CVE-2007-6055. NOTE: some of these…