Known Vulnerabilities

All files within the application's WAR folder is accessible via crafted URL. Severity 1 Liferay Portal 7.0.5

This issue was reported by Tomas Bortoli Open redirect vulnerability in the Asset Publisher application allows remote attackers to redirect users to arbitrary web sites. Severity 2 Liferay Portal...

Unauthenticated users can modify system settings to gain administration privileges. Severity 1 Liferay Portal 7.0.5

Liferay Portal 7.0.5 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.0.4 and earlier,...

Passwords are visible to administrators in the System Settings section of the Control Panel. Severity 2 Liferay Portal 7.0.5

Multiple permission issue allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay Portal 7.0.5

Liferay Portal 7.0.5 Some vulnerabilities reported by Marko Winkler Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page....

In a shared environment (e.g., a computer at a library or internet cafe), a user's reminder query answer may be accessible by another user. Severity 2 Liferay Portal 7.0.4

User's email address, screen name or user id (depending on the authentication method) is exposed in URL. Severity 2 Liferay Portal 7.0.4

Multiple permission issue allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay Portal 7.0.4

Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal 7.0.4

7.0.3-ce-ga4-security-1.0 patch (source) In Liferay Portal 7.0 CE GA4, the path to all OSGi bundles is exposed via crafted URL. Severity 1

In Liferay Portal 7.0 CE GA3, Velocity and FreeMarker templates does not properly restrict the use of some variables, which allow any user with permission to create a template to insert arbitrary...

In Liferay Portal 7.0 CE GA4, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 7.0.3-ce-ga4-security-1.0...

7.0.3-ce-ga4-security-1.0 patch (source) March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay...

In Liferay Portal 7.0 CE GA4, AggregateFilter, MinifierFilter and DynamicCSSFilter allows unauthenticated users to cause a denial of service (disk consumption) via crafted URL. Severity 1...

Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal 7.0.0 This issue was reported by Marko Winkler

Liferay Portal 7.0.0 User credentials may appear in the logs if the user authenticates using basic authentication. Severity 2

Insufficient permission checking in Message Board and Comments allows unauthorized users to edit and/or delete other user's messages or comments. Severity 2 Liferay Portal 7.0.0 This issue was...

Users without the necessary permssion can view page configuration information the via crafted URLs. Severity 2 Liferay Portal 7.0.0 This issue was reported by Spyridon Chatzimichail

When JAAS is enabled, ThreadLocal may leak variables to other processes. Severity 2 Liferay Portal 7.0.3

Passwords are visible to administrators in the Server Administration section of the Control Panel. Severity 2 Liferay Portal 7.0.3

System settings (including credentials/passwords) may be exposed when performing a data migration. The information exposure is limited to the administrator user who executed the data migration....

Liferay Portal 7.0.3 Some vulnerabilities reported by Spyridon Chatzimichail Multiple permission issue allows users to perform actions on resources which they are not authorized to perform. Severity 2

The password history checking functionality in a password policy can be circumvented via forget password. Severity 2 Liferay Portal 7.0.3

Open redirect vulnerability in Search application allows remote attackers to redirect users to arbitrary web sites. Severity 2 Liferay Portal 7.0.3

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Apache Commons FileUpload, as used...

Apache Tika is vulnerable to XML External Entity (XXE) processing attacks. This vulnerability can allow an attacker to access files on the file system and/or take down the portal (denial of...

Unsanitized data in SessionClicks allows an attacker to cause a denial-of-service (DoS) via crafted URLs. The denial-of-service is limited to users who have clicked on the crafted URL and may...

Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal 7.0.3 Some vulnerabilities reported by Craig...

This issue was reported by Jacob Baines TunnelServlet allows remote code execution by unauthenticated users. Severity 1 Liferay Portal 7.0.3

Liferay Portal 7.0.2 If the log level is set to DEBUG, LDAP credentials are exposed in the logs. Severity 2

In Liferay Portal 7.0.1 and earlier, PDFBox does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF....

Editing a blog entry may reset the blog entry's permission to the default permission. This may allow a user without the necessary permission to view a blog entry. Severity 2 Liferay Portal 7.0.2

Liferay Portal 7.0.2 The search result in the Search portlet may include search results which a user does not have permission to view. Severity 2

The portal is vulnerable to open redirects for certain types of URLs. An attacker can potentially exploit this security vulnerability to mislead a user to different website. Severity 2 Liferay...

This ticket covers various inline JavaScript related cross-site scripting (XSS) vulnerability. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a...

A reflected cross-site scripting (XSS) vulnerability exist in the <aui:form> tag. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page....

A reflected cross-site scripting (XSS) vulnerability exist in the <aui:form> tag. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page....

Liferay Portal 7.0.2 A stored cross-site scripting (XSS) vulnerability exist in Monitoring. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a...

By default, Liferay Portal gives every registered user the Power User role. When a signed in user has the Power User role, the user will have their own site and permissions to manage the site...

Cross-Site Request Forgery (CSRF) tokens are persisted in the database and may make it easier for an attacker to launch a CSRF attack. Severity 2 Liferay Portal 7.0.1

Liferay Portal 7.0.1 An open redirect vulnerability exists with Facebook authentication. An attacker can potentially exploit this security vulnerability to redirect users to a different site....

By constructing the correct URL, some restricted Web Application Bundle (WAB) resources may be accessible. Severity 2 Liferay Portal 7.0.1

This ticket covers various permission issues in Liferay Portal 7.0 CE GA1 that may result in a user having permission the user should not have. Severity 1 Liferay Portal 7.0.1

This ticket covers various cross-site scripting (XSS) issues in Liferay Portal 7.0 CE GA1 Severity 2 Liferay Portal 7.0.1

Velocity and FreeMarker templates are vulnerable to remote code execution (RCE) and privilege escalation. Severity 1 Note that there are two binary patches which fix this issue, as well as all...

Password policies can be configured to lock out a user after a specified number of failed login attempts. However, if a user is using digest authentication, this lock out can be circumvented....

Note that there are two binary patches which fix this issue, as well as all previous CST fixes for this release. You only need to apply one of these, not both. Binary Patch 1: The "complete" patch...

An open redirect vulnerability exists may be possible with some specially constructed domain names. An attacker can potentially exploit this security vulnerability to redirect users to a different...

A vulnerability known as "Java Deserialization Vulnerability" was discovered and Liferay Portal is potential vulnerable in the following locations: TunnelServlet: Spring-Remoting services By...

Note that there are two binary patches which fix this issue, as well as all previous CST fixes for this release. You only need to apply one of these, not both. Binary Patch 1: The "complete" patch...

This ticket covers various permission issues in Liferay Portal 6.2 CE GA6 that may result in a user having permission the user should not have. Severity 2 Note that there are two binary patches...

XSL Content portlet can be configured with any XML/XSL. The XSL Content portlet allows anyone who has permission to configure the portlet to specify any XML/XSL file. By creating the appropriate...

Flash does not strictly honor the same-origin policy. As a result, if an attacker is able to upload a malicious flash file to portal, the flash file can be used to circumvent the portal's CSRF...

The version of openid4java.jar that is currently used by the portal vulnerable to XXE attack. Severity 2 Note that there are two binary patches which fix this issue, as well as all previous CST...

Note that there are two binary patches which fix this issue, as well as all previous CST fixes for this release. You only need to apply one of these, not both. Binary Patch 1: The "complete" patch...

The MailEngine API is vulnerable to email header injection. This issue only affects users who are calling the MailEngine directly. Severity 3 Note that there are two binary patches which fix this...

This ticket covers various permission issues in Liferay Portal 6.2 CE GA3 that may result in a user having permission the user should not have. Severity 2 Note that there are two binary patches...

Note that there are two binary patches which fix this issue, as well as all previous CST fixes for this release. You only need to apply one of these, not both. Binary Patch 1: The "complete" patch...