Ndix

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.112 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 7.4 GA through update 92 **Description** A reflected cross-site scripting (XSS) issue exists that allows a remote authenticated attacker to inject JavaScript code. The injection occurs via the ` com liferay commerce product definitions web internal portlet CPDefinitionsPortlet productTypeName` parameter. This malicious code is then reflected and executed in the user's browser. **Recommendations** Update Liferay Portal to a version later than 7.4.3.112. Update Liferay DXP to a version later than 2024.Q1.18. Update Liferay DXP to a version later than update 92.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 Liferay DXP versions 2025.Q2.0 through 2025.Q2.9 Description: A stored cross-site scripting issue exists in Liferay Portal and Liferay DXP. A remote authenticated attacker can inject JavaScript through the Custom Object field label. The malicious payload is stored and executed through the Process Builder's Configuration tab without proper escaping. Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.132: Update to a version later than 7.4.3.132. Liferay DXP versions 2024.Q1.1 through 2024.Q1.19: Update to a version later than 2024.Q1.19. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13: Update to a version later than 2024.Q2.13. Liferay DXP versions 2024.Q3.0 through 2024.Q3.13: Update to a version later than 2024.Q3.13. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Update to a version later than 2024.Q4.7. Liferay DXP versions 2025.Q1.0 through 2025.Q1.16: Update to a version later than 2025.Q1.16. Liferay DXP versions 2025.Q2.0 through 2025.Q2.9: Update to a version later than 2025.Q2.9.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 Liferay DXP versions 2025.Q1.0 through 2025.Q1.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.17 Liferay DXP 7.4 GA through update 92 Description: A stored cross-site scripting issue exists that allows a remote authenticated attacker to inject JavaScript into the ` com liferay layout admin web portlet GroupPagesPortlet type` parameter. Recommendations: Update Liferay Portal to a version later than 7.4.3.132. Update Liferay DXP to a version later than 2025.Q2.0. Update Liferay DXP to a version later than 2025.Q1.13. Update Liferay DXP to a version later than 2024.Q4.7. Update Liferay DXP to a version later than 2024.Q3.13. Update Liferay DXP to a version later than 2024.Q2.13. Update Liferay DXP to a version later than 2024.Q1.17. Update Liferay DXP to a version later than update 92 for the 7.4 GA release.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.10 Liferay DXP versions 2025.Q2.0 through 2025.Q2.2 Liferay Portal 7.4 GA through update 92 Description: This issue is a reflected cross-site scripting (XSS) vulnerability. A remote authenticated attacker can inject JavaScript code through the ` com liferay dynamic data mapping web portlet DDMPortlet portletNamespace` and ` com liferay dynamic data mapping web portlet DDMPortlet namespace` parameters. Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.132: Update to a newer version. Liferay DXP versions 2024.Q1.1 through 2024.Q1.18: Update to a newer version. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13: Update to a newer version. Liferay DXP versions 2024.Q3.0 through 2024.Q3.13: Update to a newer version. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Update to a newer version. Liferay DXP versions 2025.Q1.0 through 2025.Q1.10: Update to a newer version. Liferay DXP versions 2025.Q2.0 through 2025.Q2.2: Update to a newer version. Liferay Portal 7.4 GA through update 92: Update to a newer version.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.14 Liferay DXP versions 2025.Q2.0 through 2025.Q2.2 Liferay Portal 7.4 GA through update 92 Description: This issue is a reflected cross-site scripting (XSS) vulnerability. A remote authenticated attacker can inject JavaScript code through the ` com liferay dynamic data mapping web portlet DDMPortlet definition` parameter. Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.132: Update to a version later than 7.4.3.132. Liferay DXP versions 2024.Q1.1 through 2024.Q1.18: Update to a version later than 2024.Q1.18. Liferay DXP versions 2024.Q2.1 through 2024.Q2.13: Update to a version later than 2024.Q2.13. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13: Update to a version later than 2024.Q3.13. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Update to a version later than 2024.Q4.7. Liferay DXP versions 2025.Q1.0 through 2025.Q1.14: Update to a version later than 2025.Q1.14. Liferay DXP versions 2025.Q2.0 through 2025.Q2.2: Update to a version later than 2025.Q2.2. Liferay Portal 7.4 GA through update 92: Update to a version later than update 92.

Name of the Vulnerable Software and Affected Versions: Liferay Portal version 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.8 Liferay DXP versions 2025.Q1.0 through 2025.Q1.15 Description: A reflected cross-site scripting (XSS) vulnerability exists that allows a remote authenticated user to inject JavaScript code via the ` com liferay journal web portlet JournalPortlet backURL` parameter. Recommendations: Liferay Portal version 7.4.3.132: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2025.Q2.0 through 2025.Q2.8: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2025.Q1.0 through 2025.Q1.15: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.120 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.8 Liferay DXP versions 2025.Q1.0 through 2025.Q1.15 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q1.9 through 2024.Q1.19 Description: A stored cross-site scripting issue exists in the message boards feature of the web interface, allowing a remote authenticated attacker to inject JavaScript. Recommendations: Liferay Portal version 7.4.3.133 and later. Liferay DXP version 2025.Q2.9 and later. Liferay DXP version 2025.Q1.16 and later. Liferay DXP version 2024.Q4.8 and later. Liferay DXP version 2024.Q3.14 and later. Liferay DXP version 2024.Q2.14 and later. Liferay DXP version 2024.Q1.20 and later.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.15 Liferay DXP versions 2025.Q2.0 through 2025.Q2.8 Description: A reflected cross-site scripting (XSS) vulnerability allows a remote authenticated user to inject JavaScript code via the ` com liferay expando web portlet ExpandoPortlet displayType` parameter. Recommendations: Liferay Portal versions prior to 7.4.3.133 Liferay DXP versions prior to 2024.Q1.1 Liferay DXP versions prior to 2024.Q2.1 Liferay DXP versions prior to 2024.Q3.1 Liferay DXP versions prior to 2024.Q4.1 Liferay DXP versions prior to 2025.Q1.0 Liferay DXP versions prior to 2025.Q2.0

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.14 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP 7.4 GA through update 92 Description: A Cross-Site Request Forgery (CSRF) issue exists that allows remote attackers to perform cross-origin requests on behalf of an authenticated user. The attack is performed via the `endpoint` parameter. Recommendations: Update Liferay Portal to a version later than 7.4.3.132. Update Liferay DXP to a version later than 2025.Q2.7. Update Liferay DXP to a version later than 2025.Q1.14. Update Liferay DXP to a version later than 2024.Q4.7. Update Liferay DXP to a version later than 2024.Q3.13. Update Liferay DXP to a version later than 2024.Q2.13. Update Liferay DXP to a version later than 2024.Q1.19. Update Liferay DXP to a version later than update 92.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2025.Q1.0 through 2025.Q1.15 Liferay DXP versions 2025.Q2.0 through 2025.Q2.5 Liferay Portal 7.4 GA through update 92 Description: A stored DOM-based Cross-Site Scripting (XSS) issue exists in the Asset Publisher configuration UI within the `Source.js` module. The vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels, which are then inserted into the DOM using `innerHTML` without proper encoding. Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.132: Update to a version later than 7.4.3.132. Liferay DXP versions 2024.Q1.1 through 2024.Q1.19: Update to a version later than 2024.Q1.19. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13: Update to a version later than 2024.Q2.13. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13: Update to a version later than 2024.Q3.13. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Update to a version later than 2024.Q4.7. Liferay DXP versions 2025.Q1.0 through 2025.Q1.15: Update to a version later than 2025.Q1.15. Liferay DXP versions 2025.Q2.0 through 2025.Q2.5: Update to a version later than 2025.Q2.5. Liferay Portal 7.4 GA through update 92: Update to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.103 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 7.3 update 29 through update 35 **Description** A cross-site request forgery (CSRF) vulnerability in the content page editor allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the ` com liferay commerce catalog web internal portlet CommerceCatalogsPortlet redirect` parameter. **Recommendations** For Liferay Portal versions 7.4.0 through 7.4.3.103, update to the latest version. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to the latest version. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to the latest version. For Liferay DXP versions 7.4 GA through update 92, update to the latest version. For Liferay DXP versions 7.3 update 29 through update 35, update to the latest version. As a temporary workaround, consider restricting access to the ` com liferay commerce catalog web internal portlet CommerceCatalogsPortlet redirect` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.2 through 7.4.3.107 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 GA through update 35 **Description** A cross-site request forgery (CSRF) vulnerability in the content page editor allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the `p l back url` parameter. **Recommendations** For Liferay Portal versions 7.3.2 through 7.4.3.107, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to a version outside of this range to mitigate the risk. For Liferay DXP 7.4 GA through update 92, apply update 93 or later to mitigate the risk. For Liferay DXP 7.3 GA through update 35, apply update 36 or later to mitigate the risk. As a temporary workaround, consider restricting access to the `p l back url` parameter in the content page editor until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.75 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay Portal 7.4 update 75 through update 92 Liferay Portal 7.3 update 32 through update 36 **Description** A cross-site request forgery (CSRF) vulnerability in the My Account widget allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the ` com liferay my account web portlet MyAccountPortlet backURL` parameter. **Recommendations** For Liferay Portal versions 7.4.3.75 through 7.4.3.111, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to a version outside of this range to mitigate the risk. For Liferay Portal 7.4 update 75 through update 92, update to a version outside of this range to mitigate the risk. For Liferay Portal 7.3 update 32 through update 36, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the My Account widget until a patch is available. Avoid using the ` com liferay my account web portlet MyAccountPortlet backURL` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.70 through 7.4.3.76 Liferay DXP 7.4 update 70 through 76 **Description** The issue is related to an open redirect vulnerability in the Layout module's SEO configuration. This vulnerability allows remote attackers to redirect users to arbitrary external URLs via the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter. **Recommendations** For Liferay Portal versions 7.4.3.70 through 7.4.3.76, consider restricting access to the Layout module's SEO configuration until a patch is available. For Liferay DXP 7.4 update 70 through 76, avoid using the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.70 through 7.4.3.73 Liferay DXP 7.4 update 70 through 73 **Description** A cross-site scripting (XSS) issue exists in the Layout module's SEO configuration, allowing remote attackers to inject arbitrary web script or HTML via the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For Liferay Portal versions 7.4.3.70 through 7.4.3.73, restrict access to the Layout module's SEO configuration until a patch is available. For Liferay DXP 7.4 update 70 through 73, avoid using the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider disabling the SEO configuration in the Layout module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.70 through 7.4.3.76 Liferay DXP 7.4 update 70 through 76 **Description** A cross-site request forgery (CSRF) issue in the Layout module's SEO configuration allows remote attackers to execute arbitrary code in the scripting console via the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter. **Recommendations** For Liferay Portal versions 7.4.3.70 through 7.4.3.76, consider disabling the SEO configuration in the Layout module until a patch is available. For Liferay DXP 7.4 update 70 through 76, restrict access to the scripting console to minimize the risk of exploitation. Avoid using the ` com liferay layout admin web portlet GroupPagesPortlet backURL` parameter in the affected API endpoint until the issue is resolved.