pkg:Maven/com.liferay.portal:release.dxp.bom

125 total CVEsCRITICAL24HIGH19MEDIUM72

✅ Check your installed version

All known vulnerabilities

CRITICAL9.8CVE-2022-42120Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Fragment Module
>= 7.3.0, < 7.3.10.u4
CRITICAL9.8CVE-2022-42122Liferay Portal and Liferay DXP Vulnerable to SQL Injection via Friendly URL Module
>= 7.3.10.fp2, < 7.3.10.u4
CRITICAL9.6CVE-2024-8980Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console
>= 2023.Q3.1, < 2023.Q3.5
CRITICAL9.6CVE-2024-26269Liferay Portal Frontend JS module's portlet.js and Liferay DXP vulnerable to Cross-site Scripting
>= 7.4.13.u1, < 7.4.13.u38
CRITICAL9.6CVE-2023-42496Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting
>= 7.4.10.ep1, <= 7.4.13.u92
CRITICAL9.6CVE-2024-25147Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
>= 7.3.0, < 7.3.10.u4
CRITICAL9.6CVE-2023-42498Liferay Portal Language Override edit screen and Liferay DXP vulnerable to reflected Cross-site Scripting
>= 2023.Q3, < 2023.Q3.5
CRITICAL9.6CVE-2024-25145Liferay Portal stored cross-site scripting (XSS) vulnerability
>= 7.4.0, < 7.4.3.13u8
CRITICAL9.6CVE-2023-42627Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module
>= 7.3.0, <= 7.3.10.u33
CRITICAL9.6CVE-2023-44311Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class
>= 7.4.13.u41, < 7.4.13.u90
CRITICAL9.6CVE-2023-42497Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page
>= 7.4.0, < 7.4.13.u86
CRITICAL9.0CVE-2024-38002Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions
>= 2023.Q4.0, < 2023.Q4.6
CRITICAL9.0CVE-2023-47795Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting
>= 2023.Q3, < 2023.Q3.6
CRITICAL9.0CVE-2024-25603Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerable to stored Cross-site Scripting
>= 7.4.13.u1, <= 7.4.13.u102
CRITICAL9.0CVE-2024-26266Liferay Portal and Liferay DXP vulnerable to stored Cross-site Scripting
>= 7.4.13.u1, < 7.4.13.u10
CRITICAL9.0CVE-2024-25152Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting
>= 7.3.0, < 7.3.10.u4
CRITICAL9.0CVE-2024-25601Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting
>= 7.3.0, < 7.3.10.u4
CRITICAL9.0CVE-2024-25602Liferay Portal and Liferay DXP's Users Admin module vulnerable to stored Cross-site Scripting
>= 7.3.0, < 7.3.10.u4
CRITICAL9.0CVE-2023-40191Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting
>= 2023.Q3, < 2023.Q3.6
CRITICAL9.0CVE-2024-25610Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)
>= 7.4.0, < 7.4.13.u9
CRITICAL9.0CVE-2023-44310Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu
>= 7.3.10.fp1, <= 7.3.10.fp23
CRITICAL9.0CVE-2023-42628Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget
>= 7.0.10.fp83, <= 7.0.10.fp102
CRITICAL9.0CVE-2023-42629Liferay Portal and Liferay DXP Vulnerable to Stored XSS in the Manage Vocabulary Page
>= 7.4.0, < 7.4.13.u88
CRITICAL9.0CVE-2023-44309Liferay Portal and Liferay DXP Vulnerable to XSS in the Fragment Components
>= 7.4.0, < 7.4.13.u54
HIGH8.8CVE-2024-26273Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the Content Page Editor
>= 2023.Q4.0, < 2023.Q4.3
HIGH8.8CVE-2024-26271Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the My Account Widget
>= 2023.Q4.0, < 2023.Q4.3
HIGH8.8CVE-2024-26272Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the Content Page Editor
>= 2023.Q4.0, < 2023.Q4.3
HIGH8.8CVE-2021-29050Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery in Terms of Use Page
>= 7.2.0, < 7.2.10.fp11
HIGH8.8CVE-2023-35030Liferay Portal and Liferay DXP Vulnerable to CSRF via the Layout Module
>= 7.4.13.u70, <= 7.4.13.u76
HIGH8.8CVE-2022-42121Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Layout Module
>= 7.1.0, < 7.1.10.fp27
HIGH8.8CVE-2021-29053Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections
from 0, < 7.3.10.fp1
HIGH8.8CVE-2020-13445Liferay Portal and Liferay DXP Vulnerable to Arbitrary Code Execution
>= 7.0.0, < 7.0.10.fp92
HIGH8.3CVE-2020-15841Liferay Portal and Liferay DXP Potentially Reveal LDAP Server Password via Unsafe Connection
>= 7.0.0, < 7.0.10.fp89
HIGH8.1CVE-2024-25607Liferay Portal defaults to a low work factor for the default password hashing algorithm
>= 7.3.0, < 7.3.10.u4
HIGH8.1CVE-2024-25148Liferay Portal vulnerable to user impersonation
>= 7.2.0, < 7.2.10.fp15
HIGH8.1CVE-2020-15842Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability
>= 7.0.0, < 7.0.10.fp90
HIGH8.0CVE-2024-25606Liferay Portal has an XXE vulnerability in Java2WsddTask._format
>= 7.3.0, < 7.3.10.u12
HIGH7.5CVE-2021-33322Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use
>= 7.0.0, < 7.0.10.fp96
HIGH7.5CVE-2021-33338Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs
>= 7.1.0, < 7.1.10.fp19
HIGH7.5CVE-2021-33323Liferay Portal and Liferay DXP autosaves form data for other users to see
>= 7.1.0, < 7.1.10.fp19
HIGH7.5CVE-2021-29047Liferay Portal and Liferay DXP Fails to Invalidate CAPTCHA Answers After Use
from 0, < 7.3.10.fp1
HIGH7.5CVE-2021-38266Liferay Portal and Liferay DXP fails to properly import users from LDAP
from 0, < 7.3.0-ga1
HIGH7.2CVE-2021-33335Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers
>= 7.1.0, < 7.1.10.fp20
MEDIUM6.5CVE-2024-26270Liferay Portal and Liferay DXP vulnerable to theft of hashed password
>= 2023.Q3, < 2023.Q3.5
MEDIUM6.5CVE-2024-25604Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions to Edit Permissions
MEDIUM6.5CVE-2022-38512Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module
>= 7.4.13.u8, < 7.4.13.u37
MEDIUM6.5CVE-2021-29041Liferay DXP Vulnerable to Denial-of-service (DoS) in the Multi-Factor Authentication Module
from 0, < 7.3.10.fp1
MEDIUM6.5CVE-2020-13444Liferay Portal and Liferay DXP Fails to Sanitize API Data
>= 7.0.0, < 7.0.10.fp92
MEDIUM6.5CVE-2021-38268Liferay Portal and Liferay DXP has incorrect default permissions for site members
>= 7.0.0, < 7.0.10.fp101
MEDIUM6.5CVE-2020-15839Unrestricted Upload of File with Dangerous Type in Liferay Portal and Liferay DXP
from 0, < 7.1.10.fp18
MEDIUM6.3CVE-2021-29038Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers
from 0, < 7.2.10.fp17
MEDIUM6.3CVE-2021-33333Liferay Portal and Liferay DXP Fails to Check User Permissions for Workflow Submissions
from 0, < 7.0.10.fp93
MEDIUM6.1CVE-2024-11993Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
>= 7.1, < 7.4.13.u39
MEDIUM6.1CVE-2024-25609Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Two Forward Slashes
>= 7.2.10.fp15, <= 7.2.10.fp18
MEDIUM6.1CVE-2024-25608Liferay Portal and Liferay DXP's HtmlUtil.escapeRedirect Can Be Circumvented via Replacement Character
from 0, < 7.2.10.fp19
MEDIUM6.1CVE-2023-5190Liferay Portal and Liferay DXP Vulnerable to Open Redirect in Countries Management's Edit Region Page
>= 2023.Q3, < 2023.Q3.6
MEDIUM6.1CVE-2023-35029Liferay Portal and Liferay DXP Vulnerable to Open Redirect via the Layout Module
>= 7.4.13.u70, <= 7.4.13.u76
MEDIUM6.1CVE-2023-3193Liferay Portal and Liferay DXP Vulnerable to XSS via the Layout Module
>= 7.4.13.u70, <= 7.4.13.u73
MEDIUM6.1CVE-2022-42118Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module
>= 7.1.0, < 7.1.10.fp27
MEDIUM6.1CVE-2022-42110Liferay Portal and Liferay DXP Vulnerable to XSS via the Announcements Module
>= 7.1.0, < 7.1.10.fp27
MEDIUM6.1CVE-2022-42116Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration with the Frontend Editor Module
>= 7.3.0, < 7.3.10.u6
MEDIUM6.1CVE-2022-42117Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module
>= 7.3.0, < 7.3.10.u6
MEDIUM6.1CVE-2022-42113Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module
>= 7.4.13.u30, < 7.4.13.u37
MEDIUM6.1CVE-2022-28980Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix
from 0, < 7.4.3.5-ga5
MEDIUM6.1CVE-2022-28977Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented
>= 7.0.10.fp91, < 7.0.10.fp101
MEDIUM6.1CVE-2022-28979Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module
>= 7.1.0
MEDIUM6.1CVE-2021-29049Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the currentURL Parameter
>= 7.0, < 7.0.10.fp99
MEDIUM6.1CVE-2021-33337Liferay Portal and Liferay DXP Cross-site scripting (XSS) vulnerability in the Document Library module
>= 7.1.0, < 7.1.10.fp20
MEDIUM6.1CVE-2021-33326Liferay Portal and Liferay DXP Cross-site scripting (XSS) vulnerability in the Frontend JS module
>= 7.0.0, < 7.0.10.fp96
MEDIUM6.1CVE-2021-33331Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs
>= 7.0.10.fp0, < 7.0.10.fp94
MEDIUM6.1CVE-2021-33332Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)
>= 7.1.0, < 7.1.10.fp19
MEDIUM6.1CVE-2021-29046Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Asset Module Parameter
>= 7.3.10.fp0, < 7.3.10.fp1
MEDIUM6.1CVE-2021-29048Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in the Layout Admin Page
from 0, < 7.2.10.fp11
MEDIUM6.1CVE-2021-29044Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Membership Request Admin Page
>= 7.0.10.fp0, < 7.0.10.fp97
MEDIUM6.1CVE-2021-29045Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the Redirect's Admin Page
>= 7.3.10.fp0, < 7.3.10.fp1
MEDIUM6.1CVE-2021-29051Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in Asset Publisher App
from 0, < 7.1.10.fp21
MEDIUM6.1CVE-2022-26596Liferay Portal and Liferay DXP allows arbitrary injection via web content template names
>= 7.0.0, < 7.0.10.fp94
MEDIUM6.1CVE-2022-26597Liferay Portal and Liferay DXP allows arbitrary injection via the site name
>= 7.3.0, < 7.3.10.fp3
MEDIUM6.1CVE-2022-26594Liferay Portal and Liferay DXP allows arbitrary injection via form field
>= 7.3.0, < 7.3.10.fp3
MEDIUM6.1CVE-2021-38263Liferay Portal and Liferay DXP cross-site scripting (XSS) vulnerability via the script console
from 0, <= 7.0
MEDIUM5.9CVE-2022-42132Liferay Portal and Liferay DXP Includes LDAP Credentials in the Page URL
>= 7.0.0, <= 7.0.10.fp102
MEDIUM5.9CVE-2021-29043Liferay Portal and Liferay DXP May Reveal S3 Store's Proxy Password
from 0, < 7.0.10.fp97
MEDIUM5.4CVE-2024-25151Liferay Portal Calendar module and Liferay DXP vulnerable to Cross-site Scripting, content spoofing
>= 7.3.0, < 7.3.10.u4
MEDIUM5.4CVE-2024-25149Liferay Portal and Liferay DXP Does Not Properly Restrict Membership to Child Site Based on Parent Site Options
from 0, < 7.2.10.fp15
MEDIUM5.4CVE-2023-47798Liferay Portal's account lockout does not invalidate existing user sessions
>= 7.2.0, < 7.2.10.fp5
MEDIUM5.4CVE-2022-42111Liferay Portal and Liferay DXP Vulnerable to XSS via the Sharing Module
>= 7.2.0, < 7.2.10.fp19
MEDIUM5.4CVE-2022-42119Liferay Portal and Liferay DXP Vulnerable to XSS via the Commerce Module
>= 7.3.0, < 7.3.10.u8
MEDIUM5.4CVE-2022-42114Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module
>= 7.4.0, < 7.4.13.u37
MEDIUM5.4CVE-2022-42112Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module
>= 7.2.0, < 7.2.10.fp19
MEDIUM5.4CVE-2022-28978Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module
>= 7.0.0, < 7.0.10.fp102
MEDIUM5.4CVE-2021-33336Liferay Portal Journal Module and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)
>= 7.1.0, < 7.1.10.fp18
MEDIUM5.4CVE-2021-33328Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in Edit Vocabulary Page
>= 7.0.10.fp0, < 7.0.10.fp96
MEDIUM5.4CVE-2022-26593Liferay Portal and Liferay DXP allows arbitrary injection via the name of an asset category
>= 7.3.0, < 7.3.10.fp3
MEDIUM5.4CVE-2021-38269Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in the Gogo Shell module
>= 7.1.0, < 7.1.10.fp23
MEDIUM5.4CVE-2021-38267Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in edit blog entry page
>= 7.3.0, < 7.3.10.fp2
MEDIUM5.4CVE-2021-38265Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS)
from 0, <= 7.3
MEDIUM5.3CVE-2024-26268Liferay Portal and Liferay DXP User Enumeration Vulnerability
from 0, < 7.2.10.fp20
MEDIUM5.3CVE-2024-26267Liferay Portal and Liferay DXP HTTP Header Can Expose Versions
from 0, < 7.2.10.fp19
MEDIUM5.3CVE-2024-25605Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API
from 0, < 7.2.10.fp17
MEDIUM5.3CVE-2024-25146Liferay Portal allows attackers to discover the existence of sites
>= 7.3.0, < 7.3.10.u4
MEDIUM5.3CVE-2021-29040Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages
from 0, < 7.0.10.fp97
MEDIUM5.3CVE-2020-15840Liferay Portal and Liferay DXP Bypass via Double Encoded URL
from 0, < 7.0.10.fp93
MEDIUM5.3CVE-2022-25146Liferay Portal and Liferay DXP fails to check origin of event messages
from 0, < 7.4.13.u5
MEDIUM4.9CVE-2021-33325Liferay Portal and Liferay DXP Stores User Passwords in Cleartext
from 0, < 7.0.10.fp93
MEDIUM4.8CVE-2023-37940Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page
>= 7.0, < 7.3.10.u30
MEDIUM4.8CVE-2021-33339Liferay Portal Fragment Module and Liferay DXP Vulnerable to Cross-Site Scripting
>= 7.2.0, < 7.2.10.fp9
MEDIUM4.3CVE-2024-25150Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel
from 0, < 7.2.10.fp19
MEDIUM4.3CVE-2023-3426Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions
>= 7.4.143.u81, <= 7.4.143.u85
MEDIUM4.3CVE-2021-33327Liferay Portal and Liferay DXP does not properly check user permission
>= 7.0.10.fp93, < 7.0.10.fp95
MEDIUM4.3CVE-2021-33320Liferay Portal and Liferay DXP vulnerable to email spam via lack of flagging rate
>= 7.0.0, < 7.0.10.fp96
MEDIUM4.3CVE-2021-33324Liferay Portal and Liferay DXP Don't Check Permissions of Pages
from 0, < 7.1.10.fp20
MEDIUM4.3CVE-2021-33334Liferay Portal and Liferay DXP Fails to Properly Check User Permissions
>= 7.0.10.fp0, < 7.0.10.fp94
MEDIUM4.3CVE-2021-29052Liferay Portal and Liferay DXP Fails to Check Permissions
from 0, < 7.3.10.fp1
MEDIUM4.3CVE-2022-26595Liferay Portal and Liferay DXP fails to check permissions to view sites/groups
>= 7.2.0, < 7.2.10.fp13
MEDIUM4.1CVE-2024-25144Liferay Portal denial-of-service vulnerability
>= 7.2.0, < 7.2.10.fp19
—CVE-2025-43785Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
>= 2024.Q2.0, < 2024.Q3.0
—CVE-2025-43776Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
>= 7.4, <= 7.4.13.u92
—CVE-2025-43734Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability
>= 2024.q4.0, <= 2024.q4.7
—CVE-2025-43735Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability
>= 2024.q4.0, <= 2024.q4.7
—CVE-2025-43736Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
>= 2025.Q1.0, < 2025.Q1.9
—CVE-2025-4655Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
>= 2025.Q1.0, < 2025.Q1.6
—CVE-2025-4581Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
>= 2025.Q1.0, < 2025.Q1.5
—CVE-2025-3760Liferay Cross-site Scripting vulnerability
>= 7.2.10.fp1, <= 7.2.10.fp20
—CVE-2025-2565Liferay Portal and Liferay DXP Reveals Data via Forms
>= 2024.Q3.0, < 2024.Q3.1
—CVE-2025-2536Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)
>= 2024.Q2.0, <= 2024.Q2.11