Known Vulnerabilities

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex...

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal and Liferay DXP allows remote attackers to access arbitrary CSS and JSS files and load the files...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Kaleo Forms Admin in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Severity 1 The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. Liferay DXP 2023.Q3.1...

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

This issue was reported by foobar7 Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a...

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted...

Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's “Name”...

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal and Liferay DXP allows remote attackers to (1) change user passwords, (2) shut down the server, (3)...

Severity 2 Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal and Liferay DXP allows remote attackers to (1) change user passwords, (2) shut down the...

Liferay Portal 7.4.3.108 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.3 Liferay DXP 2023.Q3.6 Liferay DXP 7.3 Update 36 This issue was reported by NDIx Severity 2 Cross-site request forgery (CSRF)...

Liferay Portal 7.4.0 through 7.4.3.111 Liferay Portal 7.3.2 through 7.3.7 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 Liferay DXP 7.3 Liferay...

Severity 1 Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

This issue was reported by Barnabás Horváth (T4r0) User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by...

Workaround: Set the following in portal(-ext).properties: http.header.version.verbosity=partial Liferay Portal 7.4.3.26 Liferay DXP 7.4 update 26 Liferay DXP 7.3 update 5 Liferay DXP 7.2 fix pack...

Severity 2 Privilege escalation vulnerability in Wiki in Liferay Portal and Liferay DXP allows remote authenticated users to become the owner of a wiki page by editing the wiki page. Liferay Portal...

This issue was reported by Liferay and milCERT AT Severity 1 Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject...

Liferay Portal 7.4.3.16 Liferay DXP 7.4 update 16 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 19 Severity 2 The Image Uploader module in Liferay Portal and Liferay DXP relies on a request...

Severity 2 In Liferay Portal and Liferay DXP, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML...

Severity 2 HtmlUtil.escapeRedirect in Liferay Portal and Liferay DXP can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via...

Liferay Portal 7.4.0 through 7.4.3.18 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 19 Liferay DXP 7.3...

Severity 2 The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal and Liferay DXP defaults to a low work factor, which allows attackers to quickly crack password hashes....

Severity 2 XXE vulnerability in Liferay Portal and Liferay DXP allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via...

Severity 2 The Journal module in Liferay Portal and Liferay DXP grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI...

Severity 2 Liferay Portal and Liferay DXP does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.5 Liferay DXP 7.4 update 1 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 17 Severity 1 Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2...

Severity 2 The Calendar module in Liferay Portal and Liferay DXP does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before update 4 Liferay DXP 7.2...

Severity 2 Liferay Portal and Liferay DXP does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote...

Liferay Portal 7.4.2 Liferay DXP 7.3 service pack 3 Liferay DXP 7.2 fix pack 15 Severity 2 In Liferay Portal and Liferay DXP the `doAsUserId` URL parameter may get leaked when creating linked...

Severity 1 Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via crafted...

Severity 2 Liferay Portal and Liferay DXP returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote...