In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43757 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.3, 2025.Q1.15 or 2024.Q1.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43757.
Read more CMSIn Liferay Portal version 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43756 was detected. This vulnerability allows an authenticated user to inject JavaScript code via the snippet parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.3, 2025.Q1.16 or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43756.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43755 was detected. This vulnerability allows an authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.1, 2025.Q1.14 or 2024.Q1.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43755.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43754 was detected. This vulnerability allows attackers to determine if an account exists in the application by inspecting the server processing time of the login request. To address this issue, users should upgrade Liferay DXP to versions 2025.Q1.15, 2025.Q1.0 or 2024.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43754.
Read more CMSIn Liferay Portal versions 7.4.3.32 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 a low severity vulnerability CVE-2025-43753 was detected. This vulnerability allows an authenticated attacker to inject JavaScript into the embedded message field from the form container. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.8 or 2024.Q1.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43753.
Read more CMSIn Liferay Portal versions 7.4.3.120 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43740 was detected. This vulnerability allows an authenticated attacker to inject JavaScript through the message boards feature available via the web interface. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43740.
Read more E-commerceIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43739 was detected. This vulnerability allows an authenticated attacker to modify the content of emails sent through the calendar portlet, which enables them to send phishing emails to other users in the same organization. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0 or 2025.Q1.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43739.
Read more E-commerceIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43738 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43738.
Read more E-commerceIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43742 was detected. This vulnerability allows attackers to inject JavaScript into web content for friendly URLs. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.15, 2025.Q1.4 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43742.
Read more E-commerce