In Liferay Portal versions 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q3.1 through 2023.Q3.10 and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43771 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted payloads in the Notifications widget, including user name fields, flagging “Other Reason” text field, or flagged content name. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 2024.Q1.1 or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43771.
Read more CMS
In Liferay Portal versions 7.4.3.35 through 7.4.3.111, 7.4 update 35 through update 92, and 7.3 update 25 through update 36, and Liferay DXP 2023.Q3.1 through 2023.Q3.7 and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-62240 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted payloads in Calendar event fields, including a user’s First Name, Middle Name, or Last Name text fields. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 2024.Q1.1, 2023.Q4.6, or 2023.Q3.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62240.
Read more CMS
In Kibana versions 7.0.0 through 7.17.29, 8.0.0 through 8.18.7, 8.19.0 through 8.19.3, 9.0.0 through 9.0.6, and 9.1.0 through 9.1.3, a high severity vulnerability CVE-2025-25017 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via improperly neutralized input during web page generation in Vega visualizations. Users should update Kibana to versions 8.18.8, 8.19.4, 9.0.7, or 9.1.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25017.
Read more Data Analytics
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-62248 was detected. This vulnerability allows a remote authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter, leading to code execution in the victim’s browser when visiting a crafted URL. To address this issue, users should update to Liferay DXP 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62248.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132 and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 a medium severity vulnerability CVE-2025-62250 was detected. This vulnerability allows remote attackers to send unauthenticated cluster messages that are treated as trusted data, potentially compromising system integrity. To address this issue, users should upgrade to Liferay DXP versions 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, 7.3 update 36, or the latest master branch of Liferay Portal. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62250.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132 and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 a medium severity vulnerability CVE-2025-62249 was detected. This reflected XSS vulnerability allows a remote unauthenticated attacker to inject arbitrary JavaScript via the google_gadget. To address this issue, users should upgrade to Liferay DXP versions 2025.Q3.3, 2025.Q1.18, 2024.Q1.21, or the latest master branch of Liferay Portal. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62249.
Read more CMS
In Sonatype Nexus Repository 2.x versions up to and including 2.15.2 a high severity vulnerability CVE-2025-9868 was detected. This vulnerability in the Remote Browser Plugin allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests. To address this issue, users should upgrade to Nexus Repository 3.x. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9868.
Read more Developer Tools
In Liferay Portal versions 7.3.2 through 7.4.3.111, and Liferay DXP 7.3 GA through update 35, 7.4 GA through update 92, 2023.Q3.1 through 2023.Q3.8, and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43830 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a form with a rich text type field. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 7.3 update 36, 7.4.Q1.1, 2023.Q3.9, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43830.
Read more CMS
In Liferay Portal versions 7.4.3.18 through 7.4.3.111, and Liferay DXP 7.4 update 18 through update 92, 2023.Q3.1 through 2023.Q3.8, and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43829 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a Commerce diagram SVG file. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 7.3 update 36, 7.4.Q1.1, 2023.Q3.9, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43829.
Read more CMS