Security
Headlines

Headlines Latest CVEs

Headline

GHSA-hrc4-p2h3-pjqw: Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)

Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module’s layout-taglib/liferay/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter

2 months ago

#xss #vulnerability #web #js #git #java #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-2536

Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)

Moderate severity GitHub Reviewed Published Mar 19, 2025 to the GitHub Advisory Database • Updated Mar 20, 2025

Package

maven com.liferay.portal:release.dxp.bom (Maven)

Affected versions

>= 2024.Q2.0, <= 2024.Q2.11

>= 2024.Q1.1, < 2024.Q1.13

>= 2023.Q4.0, <= 2023.Q4.10

>= 2023.Q3.1, <= 2023.Q3.10

>= 2024.Q3.0, < 2024.Q3.1

Patched versions

2024.Q1.13

2024.Q4.0

2024.Q4.0

2024.Q3.1

maven com.liferay.portal:release.portal.bom (Maven)

Published to the GitHub Advisory Database

Mar 19, 2025

Last updated

Mar 20, 2025

ghsa: Latest News

GHSA-9x73-87fh-54w9: Gardener allows metadata injection for a project secret which can lead to privilege escalation

33 minutes ago

GHSA-3hw7-qj9h-r835: Gardener allows bypassing project secret validation which can lead to privilege escalation

2 hours ago

GHSA-xwgg-m7fx-83wx: Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation

2 hours ago

GHSA-5rjg-fvgr-3xxf: setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

4 hours ago

GHSA-mj2c-8hxf-ffvq: Cocotais Bot has builtin .echo command injection

5 hours ago