In Liferay Portal versions 7.4.0 through 7.4.3.111 and older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-62252 was detected. An insecure direct object reference (IDOR) flaw allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62252.
Read more CMSIn Liferay Portal versions 7.3.0 through 7.4.3.119 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62251 was detected. The Menu Display Widget can expose content to users who do not have permission to view it, potentially disclosing sensitive information. To address this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62251.
Read more CMSIn Liferay Portal versions 7.3.0 through 7.4.3.119 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62251 was detected. The Menu Display Widget can expose content to users who do not have permission to view it, potentially disclosing sensitive information. To address this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62251.
Read more CMSIn Kibana versions prior to 8.18.8, 8.19.5, 9.0.8, and 9.1.5 a high severity vulnerability CVE-2025-25018 was detected. Improper neutralization of input during web page generation allows an attacker to inject and store malicious scripts, leading to stored Cross-Site Scripting. To address this issue, users should upgrade Kibana to versions 8.18.8, 8.19.5, 9.0.8, or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25018.
Read more Data AnalyticsIn Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62245 was detected. A cross-site request forgery (CSRF) flaw allows remote attackers to add or edit publication comments without proper authorization. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q1.1, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62245.
Read more CMSIn Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62239 was detected. A cross-site scripting (XSS) flaw in the workflow process builder allows remote authenticated attackers to inject arbitrary web script or HTML via crafted input in a workflow definition. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62239.
Read more CMSIn Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62238 was detected. A stored cross-site scripting (XSS) flaw on the Membership page in Account Settings allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62238.
Read more CMSIn Liferay Portal versions 7.4.3.8 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 a medium severity vulnerability CVE-2025-62237 was detected. A stored cross-site scripting (XSS) flaw in the Commerce view order page allows remote attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62237.
Read more CMSIn Elasticsearch versions prior to all versions from 7.0.0 up to and including 7.17.29, from 8.0.0 up to and including 8.18.7, from 8.19.0 up to and including 8.19.4, from 9.0.0 up to and including 9.0.7, and from 9.1.0 up to and including 9.1.4 a medium severity vulnerability CVE-2025-37727 was detected. This vulnerability allows sensitive information to be inserted into log files when auditing requests to the reindex API, potentially leading to a loss of confidentiality under specific conditions. To address this issue, users should update Elasticsearch to versions 8.18.8, 8.19.5, 9.0.8 or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37727.
Read more Data Analytics