Known Vulnerabilities

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to register a server license via the 'orderUuid'...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Severity 1 The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary...

The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

The Portal Workflow module in Liferay Portal 6.2.2 through 7.3.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator...

Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Severity 1 Liferay Portal 7.1.1 March 2020 source patch...

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The RSS portlet and FuseMail...

Liferay Portal 6.2.5 and earlier does not properly check permissions, which allows remote authenticated users to impersonate, edit, or delete administrators. Workaround: Remove the User.DELETE,...

Remote code execution vulnerability in DDM template in Liferay Portal 7.0.0 and earlier allows remote authenticated users with permission to create/edit templates to create templates that can run...

Denial-of-service (DoS) vulnerability in document library in Liferay Portal 6.2.5 and earlier allows remote attackers to cause an OutOfMemoryError by uploading a crafted PDF file. Workaround: Use...

Remote file disclosure vulnerability in DDM templates in Liferay Portal 6.2.5 and earlier allows remote authenticated users with permission create/edit templates to view any files that are readable...

March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The IFrame portlet in Liferay Portal 6.2.5 and earlier...

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct...

Liferay Portal 7.0.1 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Review permissions settings and do...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).   Workaround: Disable JSONWS by setting the portal.property...

Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page. March 2020 source patch for Liferay...

Liferay Portal 7.1.0 and earlier is vulnerable to remote code execution (RCE) via deserialization of JSON data. Severity 1 Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6....

Liferay Portal 7.1.0 and earlier contains a path traversal vulnerability in Web Content templates and Application Display Templates (ADT). The vulnerability allows any user with permission to...

Liferay Portal 7.1.0 and earlier is vulnerable to a Server-Side Request Forgery (SSRF) via Web Content templates and Application Display Templates (ADT) which may allow an attacker access to...

In Liferay Portal 7.0.5 and earlier, the Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet. Patched versions of the portal will prevent users...

The portal may be vulnerable to BREACH attacks if the portal is using HTTPS and compression (GZip) is enabled. Workaround: Disable compression by setting...

The "doAsUserId" parameter used by Administrators for impersonating another user can be leaked to third party sites. Severity 2 Liferay Portal 7.0.6

Liferay Portal 7.0.6 The asset tag API leaks information about the user who created the asset tag. Severity 2

A reflected cross-site scripting (XSS) vulnerability exist on the JSONWS API page. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page....

Content spoofing is possible via URL manipulation in applications that suppor tags. An attacker can potentially exploit this security vulnerability to spoof content and mislead users. Severity 2...

All files within the application's WAR folder is accessible via crafted URL. Severity 1 Liferay Portal 7.0.5

Liferay Portal 7.0.5 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.0.4 and earlier,...

In a shared environment (e.g., a computer at a library or internet cafe), a user's reminder query answer may be accessible by another user. Severity 2 Liferay Portal 7.0.4

User's email address, screen name or user id (depending on the authentication method) is exposed in URL. Severity 2 Liferay Portal 7.0.4

In Liferay Portal 7.0 CE GA3, Velocity and FreeMarker templates does not properly restrict the use of some variables, which allow any user with permission to create a template to insert arbitrary...

7.0.3-ce-ga4-security-1.0 patch (source) March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay...

In Liferay Portal 7.0 CE GA4, AggregateFilter, MinifierFilter and DynamicCSSFilter allows unauthenticated users to cause a denial of service (disk consumption) via crafted URL. Severity 1...

Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal 7.0.0 This issue was reported by Marko Winkler

Liferay Portal 7.0.0 User credentials may appear in the logs if the user authenticates using basic authentication. Severity 2

Insufficient permission checking in Message Board and Comments allows unauthorized users to edit and/or delete other user's messages or comments. Severity 2 Liferay Portal 7.0.0 This issue was...

Users without the necessary permssion can view page configuration information the via crafted URLs. Severity 2 Liferay Portal 7.0.0 This issue was reported by Spyridon Chatzimichail

When JAAS is enabled, ThreadLocal may leak variables to other processes. Severity 2 Liferay Portal 7.0.3

Passwords are visible to administrators in the Server Administration section of the Control Panel. Severity 2 Liferay Portal 7.0.3

The password history checking functionality in a password policy can be circumvented via forget password. Severity 2 Liferay Portal 7.0.3

Open redirect vulnerability in Search application allows remote attackers to redirect users to arbitrary web sites. Severity 2 Liferay Portal 7.0.3

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Apache Commons FileUpload, as used...

Unsanitized data in SessionClicks allows an attacker to cause a denial-of-service (DoS) via crafted URLs. The denial-of-service is limited to users who have clicked on the crafted URL and may...

This issue was reported by Jacob Baines TunnelServlet allows remote code execution by unauthenticated users. Severity 1 Liferay Portal 7.0.3

In Liferay Portal 7.0.1 and earlier, PDFBox does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF....

Editing a blog entry may reset the blog entry's permission to the default permission. This may allow a user without the necessary permission to view a blog entry. Severity 2 Liferay Portal 7.0.2

Liferay Portal 7.0.2 The search result in the Search portlet may include search results which a user does not have permission to view. Severity 2

By default, Liferay Portal gives every registered user the Power User role. When a signed in user has the Power User role, the user will have their own site and permissions to manage the site...

Cross-Site Request Forgery (CSRF) tokens are persisted in the database and may make it easier for an attacker to launch a CSRF attack. Severity 2 Liferay Portal 7.0.1

Liferay Portal 7.0.1 An open redirect vulnerability exists with Facebook authentication. An attacker can potentially exploit this security vulnerability to redirect users to a different site....

Velocity and FreeMarker templates are vulnerable to remote code execution (RCE) and privilege escalation. Severity 1 Note that there are two binary patches which fix this issue, as well as all...

Password policies can be configured to lock out a user after a specified number of failed login attempts. However, if a user is using digest authentication, this lock out can be circumvented....

Note that there are two binary patches which fix this issue, as well as all previous CST fixes for this release. You only need to apply one of these, not both. Binary Patch 1: The "complete" patch...

An open redirect vulnerability exists may be possible with some specially constructed domain names. An attacker can potentially exploit this security vulnerability to redirect users to a different...