In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43752 was detected. This vulnerability allows an attacker to upload an unlimited amount of files through the object entries attachment fields, which can lead to a potential Denial-of-Service (DoS). To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.5, 2025.Q2.0 or 2024.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43752.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43750 was detected. This vulnerability allows an unauthenticated attacker to upload files via the form attachment field without proper validation, which enables extension obfuscation and bypassing MIME type checks. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.2 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43750.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43749 was detected. This vulnerability allows an unauthenticated attacker to access files uploaded in the form and stored in the document_library. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.2, 2025.Q2.0 or 2024.Q1.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43749.
Read more CMS
In Liferay Portal versions 7.0.0 through 7.4.3.119, and Liferay DXP versions 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions a high severity vulnerability CVE-2025-43748 was detected. This vulnerability allows an attacker to execute Cross-Site Request Forgery attacks against omni-administrator users. To address this issue, users should upgrade Liferay Portal to version 7.4.3.120 and Liferay DXP to versions 2025.Q1.7 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43748.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43757 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.3, 2025.Q1.15 or 2024.Q1.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43757.
Read more CMS
In Liferay Portal version 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43756 was detected. This vulnerability allows an authenticated user to inject JavaScript code via the snippet parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.3, 2025.Q1.16 or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43756.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43755 was detected. This vulnerability allows an authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.1, 2025.Q1.14 or 2024.Q1.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43755.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43754 was detected. This vulnerability allows attackers to determine if an account exists in the application by inspecting the server processing time of the login request. To address this issue, users should upgrade Liferay DXP to versions 2025.Q1.15, 2025.Q1.0 or 2024.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43754.
Read more CMS
In Liferay Portal versions 7.4.3.32 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 a low severity vulnerability CVE-2025-43753 was detected. This vulnerability allows an authenticated attacker to inject JavaScript into the embedded message field from the form container. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.8 or 2024.Q1.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43753.
Read more CMS