Security
Headlines

Headlines Latest CVEs

Headline

GHSA-pf86-4w35-cj89: Liferay Portal vulnerable to cross-site scripting in the Calendar widget

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle text, or (3) Last Name text fields.

13 days ago

#xss #vulnerability #web #git #java #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-43820

Liferay Portal vulnerable to cross-site scripting in the Calendar widget

Moderate severity GitHub Reviewed Published Sep 30, 2025 to the GitHub Advisory Database • Updated Sep 30, 2025

Package

maven com.liferay.portal:release.portal.bom (Maven)

Affected versions

>= 7.4.3.35-ga35, <= 7.4.3.110-ga110

Patched versions

7.4.3.111-ga111

maven com.liferay:com.liferay.calendar.web (Maven)

Published to the GitHub Advisory Database

Sep 30, 2025

Last updated

Sep 30, 2025

ghsa: Latest News

GHSA-4p3p-cr38-v5xp: Omni is Vulnerable to DoS via Empty Create/Update Resource Requests

1 hour ago

GHSA-fhwm-pc6r-4h2f: CommandKit has incorrect command name exposure in context object for message command aliases

4 hours ago

GHSA-7r7f-9xpj-jmr7: Ash Framework: Filter authorization misapplies impossible bypass/runtime policies

8 hours ago

GHSA-wxwx-9fh7-5mrw: cel-rust May Panic During Parsing of Invalid CEL Expressions

2 days ago

GHSA-37j7-fg3j-429f: Happy DOM: VM Context Escape can lead to Remote Code Execution

2 days ago