com.liferay.portal:release.portal.bom

Maven127 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting com.liferay.portal:release.portal.bompage 2 of 3

CVE-2022-42125HIGHCVSS 7.5EG 7.5✓ Fixed in 7.4.3.48
2022-11-15
vulnerable: 7.4.3.10 ... 7.4.3.9 (45 versions)
Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious p…
CVE-2022-42126MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.3.48
2022-11-15
vulnerable: 7.3.5 ... 7.4.3.9 (54 versions)
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view …
CVE-2022-42127MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.3.48
2022-11-15
vulnerable: 7.4.3.10 ... 7.4.3.9 (45 versions)
The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned…
CVE-2022-42128MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.3.5
2022-11-15
vulnerable: 7.4.1, 7.4.1-1, 7.4.2, 7.4.2-1, 7.4.3.4
The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExtern…
CVE-2022-42129MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.3.5
2022-11-15
vulnerable: 7.3.2 ... 7.4.3.4 (14 versions)
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form …
CVE-2022-42130MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.3.5
2022-11-15
vulnerable: 7.1.0 ... 7.4.3.4 (26 versions)
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remot…
CVE-2022-42131MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.4.3.4
2022-11-15
vulnerable: 7.1.0 ... 7.4.2-1 (25 versions)
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix p…
CVE-2022-42132MEDIUMCVSS 5.9EG 5.9✓ Fixed in 7.4.3.5-ga5
2022-11-15
vulnerable: 7.0.6 ... 7.4.3.5 (30 versions)
The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in th…
CVE-2022-45320MEDIUMCVSS 6.3EG 6.3✓ Fixed in 7.4.3.16
2024-02-20
vulnerable: 7.0.6 ... 7.4.3.9 (40 versions)
Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page.
CVE-2023-3193MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.74-ga74
2023-06-15
vulnerable: 7.4.3.71, 7.4.3.72, 7.4.3.73, 7.4.3.74
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the …
CVE-2023-33937MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.1
2023-05-24
vulnerable: 7.1.0 ... 7.3.0-1 (10 versions)
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or…
CVE-2023-33938MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.4.1
2023-05-24
vulnerable: 7.3.0 ... 7.4.0 (13 versions)
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via …
CVE-2023-33939MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.3.13
2023-05-24
vulnerable: 7.1.0 ... 7.4.3.9 (34 versions)
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote atta…
CVE-2023-33940MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.4.3.31
2023-05-24
vulnerable: 7.4.0 ... 7.4.3.9 (34 versions)
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame U…
CVE-2023-33941MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.53
2023-05-24
vulnerable: 7.4.3.41 ... 7.4.3.52 (12 versions)
Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.52, and Liferay DXP 7.4 update 41 through 52 allow remote attackers t…
CVE-2023-33942MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.3.51
2023-05-24
vulnerable: 7.4.3.50
Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted pa…
CVE-2023-33943MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.3.63
2023-05-24
vulnerable: 7.4.3.21 ... 7.4.3.62 (45 versions)
Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injec…
CVE-2023-33944MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.4.3.69
2023-05-24
vulnerable: 7.3.4 ... 7.4.3.9 (78 versions)
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted…
CVE-2023-33945MEDIUMCVSS 6.4EG 6.4✓ Fixed in 7.4.3.18
2023-05-24
vulnerable: 7.3.1 ... 7.4.3.9 (29 versions)
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a …
CVE-2023-33946LOWCVSS 2.7EG 2.7✓ Fixed in 7.4.3.49
2023-05-24
vulnerable: 7.4.3.10 ... 7.4.3.9 (47 versions)
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objec…
CVE-2023-33947LOWCVSS 2.7EG 2.7✓ Fixed in 7.4.3.61
2023-05-24
vulnerable: 7.4.3.10 ... 7.4.3.9 (60 versions)
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view obj…
CVE-2023-33948MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.3.68
2023-05-24
vulnerable: 7.4.3.67
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Med…
CVE-2023-33949MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.3.1
2023-05-24
vulnerable: 7.0.6 ... 7.3.0-1 (13 versions)
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addre…
CVE-2023-33950MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.4.3.77
2023-05-24
vulnerable: 7.4.3.48 ... 7.4.3.76 (31 versions)
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an exc…
CVE-2023-35029MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.77-ga77
2023-06-15
vulnerable: 7.4.3.71 ... 7.4.3.77 (7 versions)
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_l…
CVE-2023-35030HIGHCVSS 8.8EG 8.8✓ Fixed in 7.4.3.77-ga77
2023-06-15
vulnerable: 7.4.3.71 ... 7.4.3.77 (7 versions)
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripti…
CVE-2023-37940MEDIUMCVSS 4.8EG 4.8✓ Fixed in 7.4.3.88
2024-12-17
vulnerable: 7.0.6 ... 7.4.3.9 (117 versions)
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote atta…
CVE-2023-40191CRITICALCVSS 9.0EG 9.0✓ Fixed in 7.4.3.98
2024-02-21
vulnerable: 7.4.3.44 ... 7.4.3.97 (58 versions)
Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject ar…
CVE-2023-42496CRITICALCVSS 9.6EG 9.6✓ Fixed in 7.4.3.98
2024-02-21
vulnerable: 7.3.3 ... 7.4.3.97 (111 versions)
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attac…
CVE-2023-42498CRITICALCVSS 9.6EG 9.6✓ Fixed in 7.4.3.98
2024-02-21
vulnerable: 7.4.3.10 ... 7.4.3.97 (96 versions)
Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbit…
CVE-2023-47795CRITICALCVSS 9.0EG 9.0✓ Fixed in 7.4.3.102
2024-02-21
vulnerable: 7.4.3.100 ... 7.4.3.99 (90 versions)
Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject…
CVE-2023-47797CRITICALCVSS 9.6EG 9.6✓ Fixed in 7.4.3.96
2023-11-17
vulnerable: 7.4.3.94, 7.4.3.95, 7.4.3.95-1
Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.
CVE-2023-47798MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.3.1
2024-02-08
vulnerable: 7.2.0, 7.2.1, 7.2.1-1, 7.3.0, 7.3.0-1
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated user…
CVE-2023-5190MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.102-ga102
2024-02-20
vulnerable: 7.4.3.100 ... 7.4.3.99 (61 versions)
Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to ar…
CVE-2024-11993MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.4.3.39
2024-12-17
vulnerable: 7.1.0 ... 7.4.3.9 (62 versions)
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
CVE-2024-25143MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.3.7
2024-02-07
vulnerable: 7.2.0 ... 7.3.6 (14 versions)
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption whe…
CVE-2024-25144MEDIUMCVSS 4.1EG 4.1✓ Fixed in 7.4.3.27
2024-02-08
vulnerable: 7.2.0 ... 7.4.3.9 (45 versions)
The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFr…
CVE-2024-25145CRITICALCVSS 9.6EG 9.6✓ Fixed in 7.4.3.12
2024-02-07
vulnerable: 7.0.6 ... 7.4.3.9 (36 versions)
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before …
CVE-2024-25146MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.2
2024-02-08
vulnerable: 7.2.0 ... 7.4.1-1 (18 versions)
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exi…
CVE-2024-25147CRITICALCVSS 9.6EG 9.6
2024-02-21
vulnerable: 7.0.6 ... 7.4.1 (25 versions)
Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allo…
CVE-2024-25148MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.2
2024-02-08
vulnerable: 7.2.0 ... 7.4.1-1 (18 versions)
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked con…
CVE-2024-25149MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.2-ga3
2024-02-20
vulnerable: 7.2.0 ... 7.4.2-1 (20 versions)
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit mem…
CVE-2024-25150MEDIUMCVSS 4.3EG 4.3✓ Fixed in 7.4.3.4-ga4
2024-02-20
vulnerable: 7.2.0 ... 7.4.3.4 (21 versions)
Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote auth…
CVE-2024-25151MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.4.3.4
2024-02-21
vulnerable: 7.0.6 ... 7.4.2-1 (28 versions)
The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default …
CVE-2024-25152CRITICALCVSS 9.0EG 9.0
2024-02-21
vulnerable: 7.0.6 ... 7.4.2 (27 versions)
Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported version…
CVE-2024-25601CRITICALCVSS 9.0EG 9.0
2024-02-21
vulnerable: 7.0.6 ... 7.4.2 (27 versions)
Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and old…
CVE-2024-25602CRITICALCVSS 9.0EG 9.0
2024-02-21
vulnerable: 7.0.6 ... 7.4.2 (27 versions)
Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsu…
CVE-2024-25603CRITICALCVSS 9.0EG 9.0✓ Fixed in 7.4.3.5
2024-02-21
vulnerable: 7.0.6 ... 7.4.3.4 (29 versions)
Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and …
CVE-2024-25604MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.4.3.5-ga5
2024-02-20
vulnerable: 7.2.0 ... 7.4.3.5 (22 versions)
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote a…
CVE-2024-25605MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.4.3.5-ga5
2024-02-20
vulnerable: 7.2.0 ... 7.4.3.5 (22 versions)
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web…

Check whether com.liferay.portal:release.portal.bom is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.liferay.portal:release.portal.bom CVEs against the assets you own.

Start Free Scan →