Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1xaHA2LXZwN2MtZzd4cM4ABG8e

Moderate CVSS: 4.8 EPSS: 0.00292% (0.52181 Percentile) EPSS:
Permalink JSON

Liferay Cross-site Scripting vulnerability

Affected Packages Affected Versions Fixed Versions
maven:com.liferay.portal:release.dxp.bom = 7.4.13, >= 7.3.10.0, <= 7.3.10.3, >= 7.2.10, <= 7.2.10.8, >= 2024.Q4.1, <= 2024.Q4.7, >= 2024.Q3.1, <= 2024.Q3.9, >= 2024.Q2.0, <= 2024.Q2.13, >= 2024.Q1.1, <= 2024.Q1.12, >= 2023.Q4.0, <= 2023.Q4.10, >= 2023.Q3.1, <= 2023.Q3.10, >= 7.4.13.u1, <= 7.4.13.u92, >= 7.3.10.ep1, <= 7.3.10.u36, >= 7.2.10.fp1, <= 7.2.10.fp20 , , , 2025.Q1.0, 2024.Q3.10, , 2024.Q1.13, , , , ,
0 Dependent packages
2 Dependent repositories

Affected Version Ranges

All affected versions

7.1.10, 7.2.1, 7.2.1-0.fp1, 7.2.1-0.fp1-1, 7.2.1-0.fp2, 7.2.1-0.fp10, 7.2.1-0.fp11, 7.2.1-0.fp12, 7.2.1-0.fp13, 7.2.1-0.fp14, 7.2.1-0.fp15, 7.2.1-0.fp16, 7.2.1-0.fp17, 7.2.1-0.fp18, 7.2.1-0.fp19, 7.2.1-0.fp20, 7.2.10, 7.3.1-0.1, 7.3.1-0.3, 7.3.1-0.ep3, 7.3.1-0.ep4, 7.3.1-0.ep5, 7.3.1-0.fp1, 7.3.1-0.fp2, 7.3.1-0.u10, 7.3.1-0.u11, 7.3.1-0.u12, 7.3.1-0.u13, 7.3.1-0.u14, 7.3.1-0.u15, 7.3.1-0.u16, 7.3.1-0.u17, 7.3.1-0.u18, 7.3.1-0.u19, 7.3.1-0.u19-1, 7.3.1-0.u20, 7.3.1-0.u20-1, 7.3.1-0.u21, 7.3.1-0.u21-1, 7.3.1-0.u22, 7.3.1-0.u22-1, 7.3.1-0.u23, 7.3.1-0.u24, 7.3.1-0.u25, 7.3.1-0.u26, 7.3.1-0.u27, 7.3.1-0.u28, 7.3.1-0.u29, 7.3.1-0.u30, 7.3.1-0.u31, 7.3.1-0.u32, 7.3.1-0.u33, 7.3.1-0.u34, 7.3.1-0.u35, 7.3.1-0.u36, 7.3.10, 7.4.1-3.u1, 7.4.1-3.u2, 7.4.1-3.u3, 7.4.1-3.u4, 7.4.1-3.u5, 7.4.1-3.u6, 7.4.1-3.u7, 7.4.1-3.u8, 7.4.1-3.u9, 7.4.1-3.u10, 7.4.1-3.u15, 7.4.1-3.u16, 7.4.1-3.u17, 7.4.1-3.u18, 7.4.1-3.u19, 7.4.1-3.u20, 7.4.1-3.u21, 7.4.1-3.u22, 7.4.1-3.u23, 7.4.1-3.u24, 7.4.1-3.u25, 7.4.1-3.u26, 7.4.1-3.u27, 7.4.1-3.u28, 7.4.1-3.u29, 7.4.1-3.u30, 7.4.1-3.u31, 7.4.1-3.u32, 7.4.1-3.u33, 7.4.1-3.u34, 7.4.1-3.u35, 7.4.1-3.u36, 7.4.1-3.u37, 7.4.1-3.u38, 7.4.1-3.u39, 7.4.1-3.u40, 7.4.1-3.u41, 7.4.1-3.u42, 7.4.1-3.u43, 7.4.1-3.u44, 7.4.1-3.u45, 7.4.1-3.u46, 7.4.1-3.u47, 7.4.1-3.u48, 7.4.1-3.u49, 7.4.1-3.u50, 7.4.1-3.u51, 7.4.1-3.u52, 7.4.1-3.u53, 7.4.1-3.u54, 7.4.1-3.u55, 7.4.1-3.u56, 7.4.1-3.u57, 7.4.1-3.u58, 7.4.1-3.u59, 7.4.1-3.u60, 7.4.1-3.u61, 7.4.1-3.u62, 7.4.1-3.u63, 7.4.1-3.u64, 7.4.1-3.u65, 7.4.1-3.u66, 7.4.1-3.u67, 7.4.1-3.u68, 7.4.1-3.u69, 7.4.1-3.u70, 7.4.1-3.u71, 7.4.1-3.u72, 7.4.1-3.u73, 7.4.1-3.u74, 7.4.1-3.u75, 7.4.1-3.u76, 7.4.1-3.u77, 7.4.1-3.u78, 7.4.1-3.u79, 7.4.1-3.u80, 7.4.1-3.u81, 7.4.1-3.u82, 7.4.1-3.u83, 7.4.1-3.u84, 7.4.1-3.u85, 7.4.1-3.u86, 7.4.1-3.u87, 7.4.1-3.u88, 7.4.1-3.u89, 7.4.1-3.u90, 7.4.1-3.u91, 7.4.1-3.u92, 7.4.1-3.u100, 7.4.1-3.u101, 7.4.1-3.u102, 7.4.1-3.u112, 7.4.1-3.u136, 7.4.11, 7.4.12, 7.4.13

All unaffected versions
maven:com.liferay.portal:release.portal.bom >= 7.2.0, < 7.4.3.132 7.4.3.132
5 Dependent packages
33 Dependent repositories

Affected Version Ranges

All affected versions

7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2

All unaffected versions

7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

References:

Identifiers

GHSA-qhp6-vp7c-g7xp

CVE-2025-3760

Risk

Severity

Moderate

CVSS

CVSS Score: 4.8

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00292

EPSS Percentile: 0.52181

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

5 months ago

Updated

5 months ago

API

JSON