In Liferay Portal versions 7.4.3.120 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43740 was detected. This vulnerability allows an authenticated attacker to inject JavaScript through the message boards feature available via the web interface. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43740.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43739 was detected. This vulnerability allows an authenticated attacker to modify the content of emails sent through the calendar portlet, which enables them to send phishing emails to other users in the same organization. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0 or 2025.Q1.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43739.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43738 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43738.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43742 was detected. This vulnerability allows attackers to inject JavaScript into web content for friendly URLs. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.15, 2025.Q1.4 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43742.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132 and in Liferay DXP versions 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43743 was detected. This vulnerability allows attackers to view other calendars by enumerating the names of other authenticated users. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.6 or 2024.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43743.
Read more CMS
In Liferay Portal and DXP versions 7.4.0 through 7.4.3.132 and 2025.Q2.0 through 2025.Q2.7 a medium severity vulnerability CVE-2025-43745 was detected. This vulnerability allows attackers to perform a cross-origin request on behalf of the authenticated user via the endpoint parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.8 or 2025.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43745.
Read more CMS
In Liferay Portal and DXP versions 7.4.0 through 7.4.3.132 a high severity vulnerability CVE-2025-43744 was detected. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.6 or 2025.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43744.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43732 was detected. This vulnerability allows organization administrators to gain unauthorized access to user lists from other organizations due to an Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. To address this issue, users should upgrade Liferay Portal fixed on master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.11 or 2024.Q1.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43732.
Read more CMS
In Liferay Portal versions 7.3.0 through 7.4.3.132 and Liferay DXP versions 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 a low severity vulnerability CVE-2025-3639 was detected. This vulnerability allows unauthenticated attackers with valid credentials to bypass multi-factor authentication (MFA) by changing the HTTP method from POST to GET during login. Currently, there is no fix version for this issue. For more details, visit CVE-2025-3639.
Read more CMS