Known Vulnerabilities

By default, Liferay Portal and Liferay DXP is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by...

Password enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. Liferay Portal...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.9 Liferay DXP 2025.Q1.0 through 2025.Q1.16 Liferay DXP 2024.Q4.0 through 2024.Q4.7 Liferay DXP 2024.Q3.1 through...

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal and Liferay DXP allows a remote, authenticated attacker to inject and...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

A vulnerability in Liferay Portal and Liferay DXP allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and...

Liferay Portal 7.4.3.120 Liferay DXP 2024.Q1.6 Liferay DXP 2024.Q2.0 Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.10 Liferay DXP...

A Insufficient Session Expiration vulnerability in the Liferay Portal and Liferay DXP is allow an remote non-authenticated attacker to reuse old user session by SLO API Liferay Portal 7.4.3.121...

Liferay Portal and Liferay DXP may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor...

Liferay Portal 7.4.3.125 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q2.9 Liferay DXP 2024.Q3.0 Liferay DXP 2024.Q4.0 Improper Access Control vulnerability in Liferay Portal and Liferay DXP allows...

Stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks page. Liferay Portal...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious...

Liferay Portal and Liferay DXP exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret. Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through the name of a fieldset in Kaleo Forms Admin....

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the...

Liferay Portal and Liferay DXP has a security vulnerability that allowing for improper access through the expandoTableLocalService. Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0...

Liferay Portal and Liferay DXP allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. Liferay Portal...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.6 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.21 This issue was reported by NDIx A stored DOM-based Cross-Site Scripting (XSS)...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.9 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 This issue was reported by NDIx A Stored cross-site scripting vulnerability in the Liferay...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via...

A CSRF vulnerability in Liferay Portal and Liferay DXP allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter. Liferay Portal 7.4.0...

Liferay Portal 7.4.0 through 7.4.3.112 Liferay DXP 2024.Q1.1 through 2024.Q1.18 Liferay DXP 7.4 GA through U92 Liferay Portal 7.4.3.113 Liferay DXP 2024.Q1.19 This issue was reported by NDIx A...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.2 Liferay DXP 2025.Q1.0 through 2025.Q1.14 Liferay DXP 2024.Q4.0 through 2024.Q4.7 Liferay DXP 2024.Q3.0 through...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated attacker to inject JavaScript code via...

Liferay Portal 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.2 Liferay DXP 2025.Q1.0 through 2025.Q1.15 Liferay DXP 2024.Q1.13 through 2024.Q1.19 Liferay Portal fixed on master branch Liferay DXP...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect Liferay...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.4 Liferay DXP 2024.Q4.0 through 2024.Q4.10 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 through...

This issue was reported by NDIx A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 This issue was reported by Gareth Catterall, AnchorSec security team The vulnerable code can bypass the Captcha check in Liferay Portal...

Liferay Portal and Liferay DXP is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an...

Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.6 Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through DXP 2024.Q4.5 Liferay DXP 2024.Q3 Liferay DXP 2024.Q2...

A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal and Liferay DXP allows a user to upload more than 300kb profile picture into the user profile. This size more than the...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated user to inject JavaScript into the embedded message field from the form...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated user to inject JavaScript in message board threads and categories. Liferay...

Liferay Portal and Liferay DXP allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the...

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object...

Liferay Portal 7.4.0 through 7.4.3.119 Liferay DXP 2024.Q1.1 through 2024.Q1.9 Liferay Portal 7.4.3.120 Liferay DXP 2024.Q1.10 Liferay DXP 2024.Q2.0 Liferay DXP 2024.Q3.0 Liferay DXP 2024.Q4.0 ...

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users to access a workflow definition by name via the API Liferay Portal...

The organization selector in Liferay Portal and Liferay DXP does not check user permission, which allows remote authenticated users to obtain a list of all organizations. Liferay Portal 7.4.3.94...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet Liferay Portal...

SSRF vulnerability in FreeMarker templates in Liferay Portal and Liferay DXP allows template editors to bypass access validations via crafted URLs. Liferay Portal fixed on master branch Liferay DXP...

Liferay Portal and Liferay DXP allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library Liferay Portal 7.4.0 through 7.4.3.132 Liferay...

Liferay Portal and Liferay DXP allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.5 Liferay DXP 2024.Q1.16 This issue was reported by Shubham Shah - CTO @ Assetnote and Adam Kues - Security...

Liferay Portal and Liferay DXP allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q1.4 Liferay DXP 2025.Q2.0 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.3 Liferay DXP...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScrip in the...

Liferay Portal and Liferay DXP allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. Liferay Portal 7.4.0 through 7.4.3.131 Liferay...

Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal and Liferay DXP allows an attacker to exploit this security vulnerability to redirect users to a...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh 2024.Q2.13 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content. Liferay...

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal and Liferay DXP, which allows authenticated users with...

Username enumeration vulnerability in Liferay Portal and Liferay DXP allows attackers to determine if an account exist in the application by inspecting the server processing time of the login...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q1.0 Liferay DXP 2025.Q2.0 User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal allows an remote non-authenticated attacker to inject JavaScript into the...