In Liferay Portal versions 7.3.0 through 7.4.3.119 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62251 was detected. The Menu Display Widget can expose content to users who do not have permission to view it, potentially disclosing sensitive information. To address this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62251.
Read more CMS
In Liferay Portal versions 7.3.0 through 7.4.3.119 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62251 was detected. The Menu Display Widget can expose content to users who do not have permission to view it, potentially disclosing sensitive information. To address this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62251.
Read more CMS
In SonarQube versions prior to 25.6, 2025.3 Commercial, and 2025.1.3 LTA a medium severity vulnerability CVE-2025-62292 was detected. Authenticated low-privileged users can query the /api/v2/users-management/users endpoint and access user fields intended for administrators only, including the email addresses of other accounts. To address this issue, users should upgrade SonarQube to versions 25.6, 2025.3 Commercial, 2025.1.3 LTA or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62292.
Read more Developer Tools
In Kibana versions prior to 8.18.8, 8.19.5, 9.0.8, and 9.1.5 a high severity vulnerability CVE-2025-25018 was detected. Improper neutralization of input during web page generation allows an attacker to inject and store malicious scripts, leading to stored Cross-Site Scripting. To address this issue, users should upgrade Kibana to versions 8.18.8, 8.19.5, 9.0.8, or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25018.
Read more Data Analytics
In Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62245 was detected. A cross-site request forgery (CSRF) flaw allows remote attackers to add or edit publication comments without proper authorization. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q1.1, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62245.
Read more CMS
In Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62239 was detected. A cross-site scripting (XSS) flaw in the workflow process builder allows remote authenticated attackers to inject arbitrary web script or HTML via crafted input in a workflow definition. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62239.
Read more CMS
In Liferay Portal versions 7.4.3.21 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 a medium severity vulnerability CVE-2025-62238 was detected. A stored cross-site scripting (XSS) flaw on the Membership page in Account Settings allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62238.
Read more CMS
In Liferay Portal versions 7.4.3.8 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 a medium severity vulnerability CVE-2025-62237 was detected. A stored cross-site scripting (XSS) flaw in the Commerce view order page allows remote attackers to inject arbitrary web script or HTML via a crafted payload in an Account’s “Name” text field. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62237.
Read more CMS
In Elasticsearch versions prior to all versions from 7.0.0 up to and including 7.17.29, from 8.0.0 up to and including 8.18.7, from 8.19.0 up to and including 8.19.4, from 9.0.0 up to and including 9.0.7, and from 9.1.0 up to and including 9.1.4 a medium severity vulnerability CVE-2025-37727 was detected. This vulnerability allows sensitive information to be inserted into log files when auditing requests to the reindex API, potentially leading to a loss of confidentiality under specific conditions. To address this issue, users should update Elasticsearch to versions 8.18.8, 8.19.5, 9.0.8 or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37727.
Read more Data Analytics