Liferay Portal
Moderate fix1 remedy
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 7.4.3.35, <= 7.4.3.110
Liferay Portal and DXP Calendar Widget Cross-Site Scripting Vulnerability
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in the Calendar widget of Liferay Portal and Liferay DXP. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML by exploiting the First Name, Middle text, or Last Name fields when inviting users to an event. The issue affects Liferay Portal versions 7.4.3.35 to 7.4.3.110, as well as several Liferay DXP 2023 and 2024 releases.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.
Remediation
Users can upgrade to Liferay Portal 7.4.3.111, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, or Liferay DXP 2023.Q3.7.
Added: Sep 29, 2025, 10:22 PM
Updated: Sep 29, 2025, 10:22 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
1.7exploitability
5.0remediation
7.7relevance
0.6threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.