Known Vulnerabilities

Missing Authorization in Collection Provider component in the Liferay Portal and Liferay DXP allows instance users to read and select unauthorized Blueprints through the Collection Providers across...

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal and Liferay DXP allows a remote, authenticated attacker to inject and...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

Liferay DXP 2024.Q4.6 Liferay DXP 2024.Q1.13 Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.5 A vulnerability in Liferay Portal and Liferay DXP allows sensitive user data to be included in the...

Liferay Portal 7.4.3.132 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.4 Liferay Portal 7.4.3.121 through 7.3.3.131 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP 2024.Q2.0...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor...

Improper Access Control vulnerability in Liferay Portal and Liferay DXP allows guest users to obtain object entries information via the API Builder. Liferay Portal 7.4.3.125 Liferay DXP 2024.Q1.13...

Liferay Portal 7.4.3.45 through 7.4.3.125 Liferay DXP 7.4 U45 through U92 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP 2024.Q2.0 through 2024.Q2.9 Liferay Portal 7.4.3.129 Liferay Portal...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 7.4 GA through U92 Liferay DXP 2024.Q1.1 through DXP 2024.Q1.19 Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13 Liferay DXP 2024.Q3.0 through DXP...

Liferay DXP 2025.Q1.17 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q2.10 Liferay Portal and Liferay DXP exposes "Internal Server Error" in the response body when a login attempt is made with a deleted...

Liferay DXP 2025.Q1.17 Liferay Portal fixed on master branch Liferay DXP 2025.Q1.17 Liferay DXP 2025.Q2.12 Liferay DXP 2024.Q1.21 Liferay DXP 2024.Q1.21 Liferay DXP 2025.Q2.12 Liferay Portal...

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the...

Liferay Portal and Liferay DXP has a security vulnerability that allowing for improper access through the expandoTableLocalService. Liferay Portal fixed on master branch Liferay DXP 2025.Q2.1...

Liferay Portal and Liferay DXP allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. Liferay Portal...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.6 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.21 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.5 Liferay DXP...

Liferay DXP 2025.Q2.9 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.9 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q1.16 This issue was reported...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.8 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.7 Liferay DXP...

Liferay DXP 2025.Q2.3 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.3 Liferay DXP 2025.Q1.15 Liferay DXP 2024.Q1.19 Liferay DXP 2024.Q1.19 Liferay DXP 2025.Q1.15 This issue was reported...

Liferay DXP 2024.Q1.19 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated attacker to inject JavaScript code via...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect Liferay...

Liferay Portal and Liferay DXP allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.15 Liferay DXP 2024.Q4.0 through 2024.Q4.7 Liferay DXP...

Liferay DXP 2024.Q1.18 Liferay DXP 2025.Q1.11 Liferay Portal 7.4.3.132 Liferay Portal and Liferay DXP is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the...

Liferay DXP 2024.Q4.6 This issue was reported by Shubham Shah - CTO @ Assetnote and Adam Kues - Security Researcher @ Assetnote A reflected cross-site scripting (XSS) vulnerability in the Liferay...

A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal and Liferay DXP allows a user to upload more than 300kb profile picture into the user profile. This size more than the...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.8 Liferay DXP 2024.Q1.17 Liferay Portal 7.4.3.32 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.7 Liferay...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated user to inject JavaScript in message board threads and categories. Liferay...

Liferay Portal and Liferay DXP allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the...

Liferay DXP 2024.Q3.0 Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users to from one virtual instance to access, create,...

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users to access a workflow definition by name via the API Liferay Portal 7.4.0...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet Liferay Portal...

SSRF vulnerability in FreeMarker templates in Liferay Portal and Liferay DXP allows template editors to bypass access validations via crafted URLs. Liferay Portal 7.4.0 through 7.4.3.132 Liferay...

Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.6 Liferay Portal and Liferay DXP allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library...

Liferay Portal and Liferay DXP allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the...

Liferay Portal and Liferay DXP allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.3 Liferay DXP 2024.Q4.0 through 2024.Q4.7 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh...

Liferay DXP 2025.Q1.4 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q2.0 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker...

Liferay Portal and Liferay DXP allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. Liferay Portal 7.4.0 through 7.4.3.131 Liferay...

Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q3.10 Liferay DXP 2024.Q4.0 Liferay DXP 2025.Q1.0 Liferay Portal 7.4.3.86 through 7.4.3.131 Liferay DXP 2024.Q3.1 through 2024.Q3.9...

The Liferay Portal and Liferay DXP allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers....

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content. Liferay...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through 2024.Q4.1 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh 2024.Q2.13 Liferay DXP 2024.Q1.1 through...

Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q2.0 Username enumeration vulnerability in Liferay Portal and Liferay DXP allows attackers to determine if an account exist in the...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through 2024.Q4.3 Liferay DXP 2024.Q3.1 through 2024.Q3.12 Liferay DXP 2024.Q2.0 through 2024.Q2.13 Liferay DXP 2024.Q1.1 through...

User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application via the create account page. Liferay Portal 7.4.0...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

Liferay Portal 7.4.3.132 Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.5 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q4.5 Liferay DXP 2024.Q1.13 Liferay DXP 2025.Q1.0 A reflected...

The fragment preview functionality in Liferay Portal and Liferay DXP was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.1 Liferay DXP 2024.Q1.15 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q4.0 through...

Liferay DXP 2025.Q2.0 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.2 Liferay DXP 2024.Q1.15 Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q1.2 Liferay Portal and...

Liferay Portal and Liferay DXP allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS....

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.2 Liferay DXP 2024.Q1.15 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.1 Liferay DXP...

Liferay DXP 2024.Q3.1 Liferay DXP 2024.Q4.0 Liferay DXP 2024.Q1.13 The data exposure vulnerability in Liferay Portal and Liferay DXP allows an unauthorized user to obtain entry data from forms....

Liferay DXP 2024.Q3.1 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.0 Dtro and TF1T of VietSunshine Cyber Security Services Cross-site scripting (XSS) vulnerability on Liferay Portal and Liferay DXP...

Liferay DXP 2024.Q4.0 Enumeration of ERC from object entry in Liferay Portal and Liferay DXP allow attackers to determine existent ERC in the application by exploit the time response. Liferay...