Known Vulnerabilities

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.3 Liferay DXP 2024.Q4.0 through 2024.Q4.7 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh...

Liferay DXP 2025.Q1.4 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q2.0 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker...

Liferay Portal and Liferay DXP allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. Liferay Portal 7.4.0 through 7.4.3.131 Liferay...

Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q3.10 Liferay DXP 2024.Q4.0 Liferay DXP 2025.Q1.0 Liferay Portal 7.4.3.86 through 7.4.3.131 Liferay DXP 2024.Q3.1 through 2024.Q3.9...

The Liferay Portal and Liferay DXP allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers....

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content. Liferay...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through 2024.Q4.1 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh 2024.Q2.13 Liferay DXP 2024.Q1.1 through...

Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q2.0 Username enumeration vulnerability in Liferay Portal and Liferay DXP allows attackers to determine if an account exist in the...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through 2024.Q4.3 Liferay DXP 2024.Q3.1 through 2024.Q3.12 Liferay DXP 2024.Q2.0 through 2024.Q2.13 Liferay DXP 2024.Q1.1 through...

User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application via the create account page. Liferay Portal 7.4.0...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

Liferay Portal 7.4.3.132 Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.5 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q4.5 Liferay DXP 2024.Q1.13 Liferay DXP 2025.Q1.0 A reflected...

The fragment preview functionality in Liferay Portal and Liferay DXP was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.1 Liferay DXP 2024.Q1.15 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q4.0 through...

Liferay DXP 2025.Q2.0 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.2 Liferay DXP 2024.Q1.15 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q1.2 Liferay Portal and...

Liferay Portal and Liferay DXP allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS....

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.2 Liferay DXP 2024.Q1.15 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.1 Liferay DXP...

Liferay DXP 2024.Q3.1 Liferay DXP 2024.Q4.0 Liferay DXP 2024.Q1.13 The data exposure vulnerability in Liferay Portal and Liferay DXP allows an unauthorized user to obtain entry data from forms....

Liferay DXP 2024.Q3.1 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.0 Dtro and TF1T of VietSunshine Cyber Security Services Cross-site scripting (XSS) vulnerability on Liferay Portal and Liferay DXP...

Liferay DXP 2024.Q4.0 Enumeration of ERC from object entry in Liferay Portal and Liferay DXP allow attackers to determine existent ERC in the application by exploit the time response. Liferay...