In Liferay Portal versions 7.3.0 through 7.4.3.119 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62251 was detected. The Menu Display Widget can expose content to users who do not have permission to view it, potentially disclosing sensitive information. To address this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62251.
Read more CMSIn Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62245 was detected. A cross-site request forgery (CSRF) flaw allows remote attackers to add or edit publication comments without proper authorization. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q1.1, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62245.
Read more CMSIn Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62239 was detected. A cross-site scripting (XSS) flaw in the workflow process builder allows remote authenticated attackers to inject arbitrary web script or HTML via crafted input in a workflow definition. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62239.
Read more CMSIn Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62238 was detected. A stored cross-site scripting (XSS) flaw on the Membership page in Account Settings allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62238.
Read more CMSIn Liferay Portal versions 7.4.3.8 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 a medium severity vulnerability CVE-2025-62237 was detected. A stored cross-site scripting (XSS) flaw in the Commerce view order page allows remote attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62237.
Read more CMSIn Liferay Portal versions 7.4.3.15 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 a medium severity vulnerability CVE-2025-43822 was detected. Multiple stored cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a crafted payload in a Terms and Conditions Name text field, affecting Payment Terms or Delivery Term on the view order page. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43822.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.111 and older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-43824 was detected. The Profile widget uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43824.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA a medium severity vulnerability CVE-2025-43823 was detected. Cross-site scripting in the Commerce Search Result widget allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a Commerce Product’s Name text field. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43823.
Read more CMSIn Liferay Portal versions 7.4.3.50 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 Update 50 through Update 92 a medium severity vulnerability CVE-2025-43811 was detected. This stored cross-site scripting vulnerability in the related asset selector allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload placed in an asset author’s First Name, Middle Name, or Last Name fields. To address this issue, users should upgrade Liferay Portal to version7.4.3.112 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43811.
Read more CMS