Versions
2023.q4.5
7.2.10 <= 7.2.10-dxp-16
update35
7.3update29
7.4
7.1
7.3ga
7.2
7.3
2023.q4.0
7.0
2023.q4.2
2023.q3.8
6.2
7.4.13.u7
7.3.10-u29
7.2.10-dxp-17
7.4.13.u87
7.4.13.u76
7.2.10-dxp-18
7.4.13.u70
7.4.13.u48
7.4.13.u89
2023.Q3.1
2023.Q3.4
7.2.10-*
de-102
7.4.13.u53
7.3.10-dxp-2
7.2.10-dxp-14
7.2.10
7.3.10-*
7.4.13.u50
7.4.13.u52
7.3.10-u32
2023.q3.5
2023.Q4.2
7.4.13.u45
7.4.13.u91
7.4.13.u4
7.3.10.sp1
7.1.10-*
7.3.10.u10
2023.Q3.8
7.4.13.u44
7.0.10-de-83
7.3.10-dxp-3
7.4.13-u75
7.3.10.u23
7.4.13-u92
7.3.10.u5
7.0.10-*
7.4.13.u18
0
7.4.13.u37
7.4.13.u25
7.4.13.u62
7.4.13.u68
6.2.0
7.2.10-dxp-15
7.4.13.u73
7.4.13.u9
7.3.10.u4
7.2.10-dxp-12
7.4.13.u85
7.3.10-dxp-33
7.4.13.u81
7.4.13.u78
7.4.13-u87
portal-173
7.0.10
7.3.10-u36
2023.q3.1
7.4.13.u17
7.4.13.u60
7.4.13.u67
2023.Q4.0
7.2.10-dxp-19
7.3.10.u13
dxp-28
dxp-20
7.4.13.u26
2023.q3.4
7.4.13
7.1.10-dxp-17
7.3.10.u7
7.1.10-dxp-26
2023.Q4.5
7.3.10-sp3
7.4.13.u41
7.4.13.u92
7.4.13-u38
7.3.10-u35
2023.Q3.5
7.3.10.*
7.1.10
7.4.13.u21
7.4.13.u3
7.4.13.u30
7.2.10-dxp-4
7.4.13.u8
7.3.10.u11
7.3.10
7.4.13.u15
7.2.10-dxp-16
Recent CVEs
CVE-2023-47798
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
CVE-2023-42629
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
CVE-2023-33947
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
CVE-2023-33946
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
CVE-2023-33945
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.
CVE-2023-33944
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
CVE-2023-33940
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
CVE-2023-33939
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
CVE-2023-33938
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
CVE-2023-33937
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.