Business and Enterprise Solutions

In Liferay Portal versions 7.4.0 through 7.4.3.101 and Liferay DXP versions 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 a medium severity vulnerability CVE-2025-43796 was detected. This vulnerability allows remote attackers to perform denial-of-service attacks on the application by executing GraphQL queries that return a large number of objects without restriction. To address this issue, users should upgrade Liferay Portal to version 7.4.3.102 or later, and Liferay DXP to version 2023.Q3.5, 7.4 update 93, or 7.3 update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43796.

In Liferay Portal versions 7.4.0 through 7.4.3.124 and Liferay DXP versions 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a high severity vulnerability CVE-2025-43790 was detected. This vulnerability allows remote authenticated users from one virtual instance to access, create, edit, and relate data/object entries or definitions to an object in a different virtual instance. To address this issue, users should upgrade Liferay Portal to version 7.4.3.125 or later, and Liferay DXP to version 2024.Q2.7, 2024.Q1.13, or 7.4 update 93. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43790.

In Liferay Portal versions 7.4.3.45 through 7.4.3.128 and Liferay DXP versions 2024.Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 a medium severity vulnerability CVE-2025-43785 was detected. This vulnerability allows attackers to execute arbitrary web script or HTML in the My Workflow Tasks page. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129 or later, and Liferay DXP to versions 2024.Q2.10 or 2024.Q1.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43785.

In Liferay Portal versions 7.4.3.73 through 7.4.3.128 and Liferay DXP versions 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 73 through update 92 a medium severity vulnerability CVE-2025-43783 was detected. This vulnerability allows attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129 or later, and Liferay DXP to versions 2024.Q3.2, 2024.Q2.14, or 2024.Q1.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43783.

In Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier a high severity vulnerability CVE-2025-54236 was detected. This vulnerability is caused by improper input validation and allows attackers to achieve session takeover, with a high impact on confidentiality and integrity. To address this issue, users should upgrade Adobe Commerce to version 2.4.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54236.

In Liferay Portal versions 7.4.0 through 7.4.3.124 and Liferay DXP versions 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a midium severity vulnerability CVE-2025-43784 was detected. This vulnerability allows guest users to obtain object entries information via the API Builder. To address this issue, users should upgrade Liferay Portal to version 7.4.3.125 or later, and Liferay DXP to versions 2024.Q2.9 or 2024.Q1.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43784.

In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43776 was detected. This vulnerability allows a remote authenticated attacker to inject JavaScript through a Custom Object field label. To address this issue, users should upgrade Liferay Portal to the latest patched version on the master branch, or Liferay DXP to versions 2024.Q1.20, 2025.Q1.17, or 2025.Q2.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43776.

In Liferay Portal versions 7.4.0 through 7.4.3.128, and Liferay DXP versions 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43786 was detected. This vulnerability allows attackers to determine existent ERC in the application by exploiting the time response. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, or Liferay DXP to versions 2024.Q1.13, 2024.Q3.2 or 2024.Q4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43786.

In Liferay Portal versions 7.4.3.110 through 7.4.3.128, and Liferay DXP versions 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 a medium severity vulnerability CVE-2025-43781 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the URL in the search bar portlet, leading to reflected cross-site scripting. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, or Liferay DXP to versions 2024.Q1.13, 2024.Q3.2 or 2024.Q4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43781.