Versions
6.2.5
7.1.3
7.2.1
2023.q3.4
7.4.3.48
7.4.3.94
7.4.3.89
7.4.3.107
7.4.3.4
7.4.3.37
7.4.3.101
7.4.3.45
7.3.0
7.2.0
7.3.3
7.4.3.91
7.4.3.7
7.4.2
7.4.3.60
7.4.3.52
7.4.3.53
7.4.3.73
7.4.3.95
7.4.3.75
7.4.3.85
7.3.7
7.4.3.111
7.3.1
7.4.3.8
7.3.5
7.4.3.87
7.4.3.67
7.4.3.17
7.4.0
7.4.3.44
7.4.3.78
7.4.1
7.0.0
7.4.3.68
7.1.0
7.4.3.76
7.4.3.62
7.4.3.103
7.4.3.30
7.4.3.41
7.4.3.11
7.4.3.99
7.3.6
7.3.4
7.4.3.26
7.4.3.21
7.4.3.13
0
7.3.2
7.4.3.38
7.4.3.70
7.4.3.15
7.4.3.25
7.4.3.50
7.4.3.18
7.4.3.12
7.4.3.97
7.4.3.81
Recent CVEs
CVE-2023-37940
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.
CVE-2024-11993
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
CVE-2024-8980
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
CVE-2023-42628
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
CVE-2023-42629
Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.
CVE-2023-33939
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
CVE-2023-33938
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
CVE-2023-33937
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.