Known Vulnerabilities

In Liferay Portal 7.1.0 through 7.2.1, an open redirect vulnerability exist with the 'redirect' parameter in System Settings' search. Severity 2 September 2020 source patch for Liferay Portal...

The OAuth module in Liferay Portal 7.1.0 through 7.2.1 contains an authentication flaw which allows an attacker with a valid OAuth2 token to access the REST application APIs in a different Portal...

Stored cross-site scripting (XSS) vulnerability in the Document Library module in Liferay Portal 7.1.0 through 7.2.1 allows remote attackers to inject arbitrary web script or HTML via the user's...

Multiple cross-site scripting (XSS) vulnerabilities in the fragment module in Liferay Portal 7.1.0 through 7.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1)...

This issue was reported by Jawwad Hussain In Liferay Portal before 7.3.1, the PortalUtil.escapeRedirect() API can be circumvented by using the tab character. This may allow an attacker to redirect...

Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the existence of a private site and the site name is disclosed in the Blogs widget's RSS feed. Severity 2 Liferay Portal 7.2.1...

Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, any user can display a unconfigured instance of an instantiable widget. Severity 2 Liferay Portal 7.2.1 June 2020 source patch...

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

In Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, exporting Page Fragments and Page Fragment Collections can overwrite files in the filesystem with the following filenames:...

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

Liferay Portal 7.1.3 and 7.2.1 includes the following libraries which have known vulnerabilities: Apache Commons Compress 1.18 Bouncy Castle Provider 1.45 c3p0 0.9.5.3 Jackson Databind 2.9.9.3...

In Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, the setup wizard will automatically download MySQL Connector/J if the selected database is MySQL. This download is done...

Some vulnerabilities reported by Casey Erdmann, Giuseppino Cadeddu and Simone Cinti Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.1.3, 7.2.1 and possibly earlier...

Liferay Portal 7.x before 7.2.1, is vulnerable to Server-Side Request Forgery (SSRF) via DDM REST Data Provider which allows an attacker access to sensitive information. This issue exists because...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the JAX-RS API does not check for a CSRF token, which allows remote attackers to perform Cross-site request forgery (CSRF)...

Liferay Portal 7.2.1 June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.1 and earlier,...

In Liferay Portal 7.2.1 and earlier, a Java deserialization vulnerability exists when the portal is clustered. Communication between the nodes can be intercepted and modified. This may result in...

In Liferay Portal before 7.3.2, the template API does not restrict user access to to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and...

Liferay Portal 7.3.2 June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay...

Liferay Portal 7.1.3 and possibly earlier unsupported versions is bundled with with Apache Tika 1.20 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay Portal...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1.3 and possibly earlier unsupported...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with withJasig CAS Client 3.1.12 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with with Jackson Databind 2.9.8 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.1.3 and possibly earlier unsupported...

Insecure default configuration in Liferay Portal 7.2.0 and earlier allows man-in-the-middle attackers to intercept the email sent to users when their account is created and login as the user.  ...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the 'com.liferay.frontend.js.lodash.web' bundle includes Lodash 4.17.4 which has known vulnerabilities. Severity 2 March 2020...

Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Severity 1 Liferay Portal 7.1.1 March 2020 source patch...

Liferay Portal 7.2.1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.0 and earlier,...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the LDAP credentials are transmitted in plain text. Severity 2 March 2020 source patch for Liferay Portal 7.1.3. Details for...

Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the 'X-Forwarded-Host' HTTP header can be used to bypass the whitelisted hosts provided in the portal property...

Liferay Portal 7.1.3 and earlier is vulnerable to remote code execution via deserialization of JSON data. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. The open redirect protection component in Liferay Portal...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the user's password is visible on the screen immediately after the account creation process. Severity 2 March 2020 source...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1 CE GA4 and possibly earlier...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, users may be tricked into creating an account with an OpenID provider. If the OpenID provider is not trustworthy, an attacker...

In Liferay Portal 7.1 CE GA4, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 March 2020 source patch for...

Liferay Portal 7.1 GA1 and possibly earlier unsupported versions truncates the regular expression field in a password policy. This may result in users using passwords which they should not use....

Multiple permission issue exists in Liferay Portal 7.1 CE GA4 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 March 2020 source patch for...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay 7.1.0 through 7.1.3, unauthorized users can...

In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the Sign In widget may expose the user's email address and/or password in the page's HTML source. This may allow a third...

In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the search results from the Search Bar widget uses links that redirect users to HTTP instead of HTTPS. Severity 2 Liferay...

In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the 'com.liferay.map.openstreetmap' bundle loads the npm package, leaflet, using HTTP instead of HTTPS. Severity 2 Liferay...

Liferay Portal 7.2.1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.1 CE GA4, 7.2 CE...

In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).   Workaround: Disable JSONWS by setting the portal.property...

In Liferay Portal 7.1 CE GA4, 7.2 CE GA1 and possibly earlier unsupported versions, the /user/send-password-by-* JSONWS APIs can be used in a denial-of-service attack on the mail server. Severity 2...

Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page. March 2020 source patch for Liferay...

Liferay Portal 7.1.3 When defining permissions for a role in Liferay Portal 7.1 CE GA3 and older unsupported versions, some permissions may be selected by default. This may unintentionally lead to...

In Liferay Portal 7.1 CE GA3 and older unsupported versions, an open redirect vulnerability exist in the Language Selector widget. Severity 2 Liferay Portal 7.1.3

In Liferay Portal 7.1 CE GA3 and older unsupported versions, a path traversal vulnerability exists in poller. Severity 2 Liferay Portal 7.1.3

Liferay Portal 7.1 CE GA3 includes the following libraries which have known vulnerabilities: Apache Batik 1.7 Apache HttpClient 4.1 Apache PDFBox 2.0.9 Apache Tika 1.18 c3p0 0.9.5.2 Ehcache 2.8.3...

In Liferay Portal 7.1 CE GA3, multiple cross-site scripting (XSS) vulnerabilities exists which allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal...

Liferay Portal 7.1 CE GA3 and older unsupported versions and older unsupported versions is vulnerable to Server-Side Request Forgery (SSRF) via DDM REST Data Provider which allows an attacker...

Liferay Portal 7.1.3 In Liferay Portal 7.1 CE GA3 and older unsupported versions, Message Boards post that are marked as "Anonymous" can be associated with the user who posted it. This issue exists...

In Liferay Portal 7.1 CE GA3 and older unsupported versions, a company's secret key is accessible via templates. Severity 2 Liferay Portal 7.1.3

In Liferay Portal 7.1 CE GA3 and older unsupported versions, user password hashes and password reminder answers may be appear in the logs if a database error occurs. Severity 2 Liferay Portal 7.1.3

Multiple permission issue exists in Liferay Portal 7.1 CE GA3 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay Portal 7.1.3

Liferay Portal 7.1.2 Message boards post that are marked as "Anonymous" can be associated with the user who posted it. Severity 2

An open redirect vulnerability exist in Liferay Portal 7.1 CE with the <liferay-ui:header> tag. Severity 2 Liferay Portal 7.1.2

In Liferay Portal 7.1 CE, an unexpected error may produce an overly verbose error message that is visible to end users. Severity 2 Liferay Portal 7.1.2