Liferay Security Vulnerabilities (CVEs)

This vulnerability allows remote attackers to view images in blog entries without proper permission checks in Liferay Portal and DXP. Attackers can ac...

This vulnerability allows local users to access downloaded files via browser cache due to incorrect cache-control headers in Liferay's Document Librar...

This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP that allow remote attackers to inject malicious scrip...

This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts or HTML via a sp...

This CVE describes a cross-site scripting (XSS) vulnerability in Liferay Portal and DXP's Blogs widget. Attackers can inject malicious <iframe> elemen...

This CVE describes a DNS rebinding vulnerability in Liferay Portal and DXP that allows attackers to redirect users to malicious external URLs. Affecte...

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Liferay Portal's Headless API that allows attackers to execute any Headless AP...

This vulnerability allows remote users to access and edit content via APIs in Liferay Portal and DXP before email verification, bypassing intended acc...

This vulnerability allows remote attackers to perform denial-of-service attacks against Liferay Portal/DXP by sending Headless API requests that retur...

This vulnerability allows local users to view user email addresses in log files through the LDAP import feature in Liferay Portal and DXP. It affects ...

This open redirect vulnerability in Liferay Portal and DXP allows attackers to redirect authenticated users to malicious external websites by manipula...

This vulnerability in Liferay Portal and DXP allows remote attackers to trigger denial of service attacks by exploiting the ComboServlet's lack of lim...

This CVE describes a self cross-site scripting (XSS) vulnerability in Liferay Portal and DXP that allows remote attackers to inject malicious scripts ...

This vulnerability allows remote attackers to access Liferay's OpenAPI YAML file through a crafted URL, potentially exposing API documentation and int...

This vulnerability allows authenticated users in Liferay Portal/DXP to access and select unauthorized Blueprints through Collection Providers across i...

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript via a spe...

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote unauthenticated attackers to inject malicious JavaScript ...

This CVE describes stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP where authenticated users can inject malicious scripts ...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users in one virtual i...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay DXP that allows authenticated users from one virtual instance t...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users to access other ...

A CSRF vulnerability in Liferay Portal and DXP allows attackers to add or edit publication comments without user consent. This affects Liferay Portal ...

This cross-site scripting (XSS) vulnerability in Liferay's workflow process builder allows authenticated attackers to inject malicious scripts or HTML...

A stored cross-site scripting (XSS) vulnerability in Liferay's Commerce view order page allows attackers to inject malicious scripts into account name...

This stored XSS vulnerability allows authenticated attackers to inject malicious scripts into the Account Name field on the Membership page in Liferay...

This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP calendar events. Attackers can inject malicious scrip...

This CVE describes multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP notifications widget. Attackers can inject mal...

A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into forms with rich text fie...

This stored cross-site scripting (XSS) vulnerability in Liferay's diagram type products allows remote attackers to inject malicious scripts or HTML vi...

This CVE describes stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP where attackers can inject malicious scripts into Terms...

This cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious scripts into Commerce Product Name fields in Liferay Portal ...

This vulnerability allows authenticated users to manipulate file extensions when downloading vCard files from the Profile widget in Liferay. Attackers...

This vulnerability in Liferay Portal and DXP allows unauthorized actors to access sensitive user data through Freemarker templates. It affects multipl...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users from one virtual...

This cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into web content templates in Liferay Portal and ...

This vulnerability in Liferay Portal/DXP allows remote attackers to perform path traversal attacks via the ComboServlet, potentially accessing arbitra...

This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP calendar widgets. Attackers can inject malicious scri...

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts via the backURLTitle param...

A cross-site scripting (XSS) vulnerability in Liferay's Calendar widget allows attackers to inject malicious scripts or HTML via the Calendar Name fie...

This vulnerability allows remote unauthenticated attackers to reuse expired user sessions through the Single Logout (SLO) API in affected Liferay vers...

A reflected cross-site scripting vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript via a specific ...

An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP allows authenticated users from one virtual instance to add notes t...

This vulnerability allows remote authenticated users to view password reminder answers through audit event logs in affected Liferay versions. This aff...

This vulnerability allows remote authenticated users to bypass permission checks in Liferay's Batch Engine, enabling unauthorized access to exported d...

A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into the notifications widget...

This vulnerability allows remote attackers to access and download virtual products for free in Liferay Commerce by exploiting incorrect permission set...

An insecure direct object reference (IDOR) vulnerability in Liferay's Contacts Center widget allows remote attackers to access contact information the...

This is a reflected cross-site scripting (XSS) vulnerability in Liferay's Search widget that allows attackers to inject malicious scripts via the _com...

This vulnerability allows remote attackers to view display page templates in Liferay Portal/DXP without proper authorization checks. Attackers can exp...

This stored XSS vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into the externalReferenceCode parameter of custom ob...