Known Vulnerabilities

Liferay Portal 7.4.3.8 through 7.4.3.97 Liferay DXP 2023.Q3 before patch 5 Liferay DXP 7.4 update 4 through 92 Liferay Portal 7.4.3.98 Liferay DXP 2023.Q3.5 This issue was reported by Amin ACHOUR...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Severity 2 Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal 7.4.3.5 Liferay DXP 7.4 update 1 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 17 Severity 1 Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2...

Severity 2 The Calendar module in Liferay Portal and Liferay DXP does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before update 4 Liferay DXP 7.2...

Severity 2 Liferay Portal and Liferay DXP does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote...

Liferay Portal 7.4.2 Liferay DXP 7.3 service pack 3 Liferay DXP 7.2 fix pack 15 Severity 2 In Liferay Portal and Liferay DXP the `doAsUserId` URL parameter may get leaked when creating linked...

Severity 1 Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via crafted...

Severity 2 Liferay Portal and Liferay DXP returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote...

Liferay Portal 7.4.0 through 7.4.3.11 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 8 Liferay DXP 7.3...

Severity 2 The IFrame widget in Liferay Portal and Liferay DXP does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self...

Liferay DXP 7.4 update 86 Liferay Portal 7.4.3.86 This issue was reported by Amin ACHOUR Severity 1 Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay...

Severity 1 Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal and Liferay DXP allow remote...

Severity 2 Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

Severity 2 Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via...

Liferay DXP 7.3 before update 33 Liferay DXP 7.4 before update 92 Liferay Portal 7.3.5 through 7.4.3.91 Liferay DXP 7.4 update 92 Liferay Portal 7.4.3.92 This issue was reported by Michael Oelke...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki...

Severity 2 Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a...

Severity 2 The organization selector in Liferay Portal and Liferay DXP does not check user permission, which allows remote authenticated users to obtain a list of all organizations. Liferay DXP 7.4...

Severity 1 Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary code in the...

This issue was reported by NDIx Severity 2 Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to...

Severity 2 Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

Severity 1 Pattern Redirects in Liferay Portal and Liferay DXP allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an...

The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file...

The Object module in Liferay Portal and Liferay DXP does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object...

Liferay DXP 7.4 before update 49 Liferay Portal 7.4.3.4 - 7.4.3.48 Liferay DXP 7.4 update 49 Liferay Portal 7.4.3.49 The Object module in Liferay Portal and Liferay DXP does properly isolate...

Severity 2 Liferay DXP 7.3 before update 6 Liferay DXP 7.4 before update 18 Liferay Portal 7.3.1 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.17 Liferay DXP 7.3 update 6 Liferay DXP 7.4 update 18 Liferay...

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Liferay DXP 7.4 update 51 Liferay Portal 7.4.3.51 Liferay DXP 7.4 update 50 Liferay Portal 7.4.3.50 Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in...

Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal and Liferay DXP allow remote attackers to inject...

Liferay DXP 7.4 before update 31 Liferay Portal 7.4.0 - 7.4.3.30 Liferay DXP 7.4 update 31 Liferay Portal 7.4.3.31 Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay...

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Severity 2 Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script...

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.2 does not validate HTTPS certificates used with DDMRESTDataProvider, which allows man-in-the-middle attackers to impersonate,...