GHSA-qhp6-vp7c-g7xp

Suggest an improvement
Source
https://github.com/advisories/GHSA-qhp6-vp7c-g7xp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qhp6-vp7c-g7xp
Aliases
Published
2025-04-17T15:32:35Z
Modified
2025-12-20T03:22:12.206231Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Liferay Cross-site Scripting vulnerability
Details

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2025-04-17T13:15:41Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-04-17T18:31:14Z",
    "severity": "MODERATE"
}
References

Affected packages

Maven
com.liferay.portal:release.portal.bom

Package

Name
com.liferay.portal:release.portal.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.4.3.132

Affected versions

7.*
7.2.0
7.2.1
7.2.1-1
7.3.0
7.3.0-1
7.3.1
7.3.1-1
7.3.2
7.3.2-1
7.3.3
7.3.3-1
7.3.4
7.3.5
7.3.6
7.3.7
7.4.0
7.4.1
7.4.1-1
7.4.2
7.4.2-1
7.4.3.4
7.4.3.5
7.4.3.6
7.4.3.7
7.4.3.8
7.4.3.9
7.4.3.10
7.4.3.11
7.4.3.12
7.4.3.13
7.4.3.14
7.4.3.15
7.4.3.16
7.4.3.17
7.4.3.18
7.4.3.19
7.4.3.20
7.4.3.20-ga20
7.4.3.21
7.4.3.21-ga21
7.4.3.22
7.4.3.23
7.4.3.24
7.4.3.25
7.4.3.26
7.4.3.27
7.4.3.28
7.4.3.29
7.4.3.30
7.4.3.31
7.4.3.32
7.4.3.33
7.4.3.34
7.4.3.35
7.4.3.36
7.4.3.37
7.4.3.38
7.4.3.39
7.4.3.40
7.4.3.41
7.4.3.42
7.4.3.43
7.4.3.44
7.4.3.45
7.4.3.46
7.4.3.47
7.4.3.48
7.4.3.49
7.4.3.50
7.4.3.51
7.4.3.52
7.4.3.53
7.4.3.54
7.4.3.55
7.4.3.56
7.4.3.57
7.4.3.58
7.4.3.59
7.4.3.60
7.4.3.60-ga60
7.4.3.61
7.4.3.61-ga61
7.4.3.62
7.4.3.63
7.4.3.64
7.4.3.65
7.4.3.66
7.4.3.67
7.4.3.68
7.4.3.69
7.4.3.70
7.4.3.71
7.4.3.72
7.4.3.73
7.4.3.74
7.4.3.75
7.4.3.76
7.4.3.77
7.4.3.78
7.4.3.79
7.4.3.80
7.4.3.81
7.4.3.82
7.4.3.83
7.4.3.84
7.4.3.85
7.4.3.85-ga85
7.4.3.86
7.4.3.87
7.4.3.88
7.4.3.89
7.4.3.90
7.4.3.91
7.4.3.92
7.4.3.93
7.4.3.94
7.4.3.95
7.4.3.95-1
7.4.3.96
7.4.3.97
7.4.3.98
7.4.3.99
7.4.3.100
7.4.3.101
7.4.3.102
7.4.3.103
7.4.3.104
7.4.3.105
7.4.3.106
7.4.3.107
7.4.3.112
7.4.3.112-ga112
7.4.3.120
7.4.3.120-ga120
7.4.3.125
7.4.3.125-ga125
7.4.3.129

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.10.fp1
Last affected
7.2.10.fp20

Affected versions

7.*
7.2.10.fp1
7.2.10.fp1-1
7.2.10.fp2
7.2.10.fp3
7.2.10.fp4
7.2.10.fp5
7.2.10.fp6
7.2.10.fp7
7.2.10.fp8
7.2.10.fp9
7.2.10.fp10
7.2.10.fp11
7.2.10.fp12
7.2.10.fp13
7.2.10.fp14
7.2.10.fp15
7.2.10.fp16
7.2.10.fp17
7.2.10.fp18
7.2.10.fp19
7.2.10.fp20

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.3.10.ep1
Last affected
7.3.10.u36

Affected versions

7.*
7.3.10.ep3
7.3.10.ep4
7.3.10.ep5
7.3.10.fp1
7.3.10.fp2
7.3.10.u4
7.3.10.u5
7.3.10.u6
7.3.10.u7
7.3.10.u8
7.3.10.u9
7.3.10.u10
7.3.10.u11
7.3.10.u12
7.3.10.u13
7.3.10.u14
7.3.10.u15
7.3.10.u16
7.3.10.u17
7.3.10.u18
7.3.10.u19
7.3.10.u19-1
7.3.10.u20
7.3.10.u20-1
7.3.10.u21
7.3.10.u21-1
7.3.10.u22
7.3.10.u22-1
7.3.10.u23
7.3.10.u24
7.3.10.u25
7.3.10.u26
7.3.10.u27
7.3.10.u28
7.3.10.u29
7.3.10.u30
7.3.10.u31
7.3.10.u32
7.3.10.u33
7.3.10.u34
7.3.10.u35
7.3.10.u36

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.4.13.u1
Last affected
7.4.13.u92

Affected versions

7.*
7.4.13.u1
7.4.13.u2
7.4.13.u3
7.4.13.u4
7.4.13.u5
7.4.13.u6
7.4.13.u7
7.4.13.u8
7.4.13.u9
7.4.13.u10
7.4.13.u15
7.4.13.u16
7.4.13.u17
7.4.13.u18
7.4.13.u19
7.4.13.u20
7.4.13.u21
7.4.13.u22
7.4.13.u23
7.4.13.u24
7.4.13.u25
7.4.13.u26
7.4.13.u27
7.4.13.u28
7.4.13.u29
7.4.13.u30
7.4.13.u31
7.4.13.u32
7.4.13.u33
7.4.13.u34
7.4.13.u35
7.4.13.u36
7.4.13.u37
7.4.13.u38
7.4.13.u39
7.4.13.u40
7.4.13.u41
7.4.13.u42
7.4.13.u43
7.4.13.u44
7.4.13.u45
7.4.13.u46
7.4.13.u47
7.4.13.u48
7.4.13.u49
7.4.13.u50
7.4.13.u51
7.4.13.u52
7.4.13.u53
7.4.13.u54
7.4.13.u55
7.4.13.u56
7.4.13.u57
7.4.13.u58
7.4.13.u59
7.4.13.u60
7.4.13.u61
7.4.13.u62
7.4.13.u63
7.4.13.u64
7.4.13.u65
7.4.13.u66
7.4.13.u67
7.4.13.u68
7.4.13.u69
7.4.13.u70
7.4.13.u71
7.4.13.u72
7.4.13.u73
7.4.13.u74
7.4.13.u75
7.4.13.u76
7.4.13.u77
7.4.13.u78
7.4.13.u79
7.4.13.u80
7.4.13.u81
7.4.13.u82
7.4.13.u83
7.4.13.u84
7.4.13.u85
7.4.13.u86
7.4.13.u87
7.4.13.u88
7.4.13.u89
7.4.13.u90
7.4.13.u91
7.4.13.u92

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2023.Q3.1
Last affected
2023.Q3.10

Affected versions

2023.*
2023.q3.1
2023.q3.2
2023.q3.3
2023.q3.4
2023.q3.5
2023.q3.6
2023.q3.7
2023.q3.8
2023.q3.9
2023.q3.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2023.Q4.0
Last affected
2023.Q4.10

Affected versions

2023.*
2023.q4.0
2023.q4.1
2023.q4.2
2023.q4.3
2023.q4.4
2023.q4.5
2023.q4.6
2023.q4.7
2023.q4.8
2023.q4.9
2023.q4.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2024.Q1.1
Fixed
2024.Q1.13

Affected versions

2024.*
2024.q1.1
2024.q1.2
2024.q1.3
2024.q1.4
2024.q1.5
2024.q1.6
2024.q1.7
2024.q1.8
2024.q1.9
2024.q1.10
2024.q1.11
2024.q1.12

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
last_known_affected_version_range 
"<= 2024.Q1.12"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2024.Q2.0
Last affected
2024.Q2.13

Affected versions

2024.*
2024.q2.0
2024.q2.1
2024.q2.2
2024.q2.3
2024.q2.4
2024.q2.5
2024.q2.6
2024.q2.7
2024.q2.8
2024.q2.9
2024.q2.10
2024.q2.11
2024.q2.12
2024.q2.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2024.Q3.1
Fixed
2024.Q3.10

Affected versions

2024.*
2024.q3.1
2024.q3.2
2024.q3.3
2024.q3.4
2024.q3.5
2024.q3.6
2024.q3.7
2024.q3.8
2024.q3.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
last_known_affected_version_range 
"<= 2024.Q3.9"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2024.Q4.1
Fixed
2025.Q1.0

Affected versions

2024.*
2024.q4.1
2024.q4.2
2024.q4.3
2024.q4.4
2024.q4.5
2024.q4.6
2024.q4.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
last_known_affected_version_range 
"<= 2024.Q4.7"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.10
Last affected
7.2.10.8

Affected versions

7.*
7.2.10
7.2.10.fp1
7.2.10.fp1-1
7.2.10.fp2
7.2.10.fp3
7.2.10.fp4
7.2.10.fp5
7.2.10.fp6
7.2.10.fp7
7.2.10.fp8
7.2.10.fp9
7.2.10.fp10
7.2.10.fp11
7.2.10.fp12
7.2.10.fp13
7.2.10.fp14
7.2.10.fp15
7.2.10.fp16
7.2.10.fp17
7.2.10.fp18
7.2.10.fp19
7.2.10.fp20
7.2.10.1
7.2.10.2
7.2.10.3
7.2.10.3-1
7.2.10.4
7.2.10.4-1
7.2.10.5
7.2.10.5-1
7.2.10.6
7.2.10.7
7.2.10.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.3.10.0
Last affected
7.3.10.3

Affected versions

7.*
7.3.10
7.3.10.ep3
7.3.10.ep4
7.3.10.ep5
7.3.10.fp1
7.3.10.fp2
7.3.10.u4
7.3.10.u5
7.3.10.u6
7.3.10.u7
7.3.10.u8
7.3.10.u9
7.3.10.u10
7.3.10.u11
7.3.10.u12
7.3.10.u13
7.3.10.u14
7.3.10.u15
7.3.10.u16
7.3.10.u17
7.3.10.u18
7.3.10.u19
7.3.10.u19-1
7.3.10.u20
7.3.10.u20-1
7.3.10.u21
7.3.10.u21-1
7.3.10.u22
7.3.10.u22-1
7.3.10.u23
7.3.10.u24
7.3.10.u25
7.3.10.u26
7.3.10.u27
7.3.10.u28
7.3.10.u29
7.3.10.u30
7.3.10.u31
7.3.10.u32
7.3.10.u33
7.3.10.u34
7.3.10.u35
7.3.10.u36
7.3.10.0-2
7.3.10.1
7.3.10.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"
com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Affected versions

7.*
7.4.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-qhp6-vp7c-g7xp/GHSA-qhp6-vp7c-g7xp.json"