Known Vulnerabilities

Liferay DXP 7.3 service pack 3 Liferay Portal 7.4.2 Liferay DXP 7.2 fix pack 15 Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal and Liferay DXP allows remote...

Severity 2 Liferay Portal and Liferay DXP returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary...

Severity 2 The IFrame widget in Liferay Portal and Liferay DXP does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self...

The Document and Media widget In Liferay Portal and Liferay DXP, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of...

Severity 2 A Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay DXP and Liferay Portal allows remote attackers to accept the site's terms of use via social...

Severity 2 Liferay Portal 7.3.6 Liferay DXP 7.3 service pack 1 Liferay DXP 7.2 fix pack 17 Liferay Portal 7.3.0 through 7.3.5 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported...

Severity 2 Account lockout in Liferay Portal and Liferay DXP does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been...

Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title`...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via...

Liferay DXP 7.4 update 41 through update 89 Liferay Portal 7.4.3.41 through 7.4.3.89 Liferay DXP 7.4 update 90 Liferay DXP 7.4 update 90 Liferay Portal 7.4.3.90 Liferay Portal 7.4.3.90 Severity 1...

Liferay DXP 7.3 update 24 Liferay DXP 7.3 update 24 Liferay DXP 7.4 update 79 Liferay Portal 7.4.3.79 Liferay Portal 7.4.3.79 Liferay DXP 7.4 update 79 Severity 2 Stored cross-site scripting (XSS)...

Liferay DXP 7.4 before update 54 Liferay Portal 7.4.2 through 7.4.3.53 Liferay DXP 7.4 update 54 Liferay DXP 7.4 update 54 Liferay Portal 7.4.3.54 Liferay Portal 7.4.3.54 Severity 2 Multiple stored...

Liferay Portal 7.4.3.92 This issue was reported by Michael Oelke Severity 1 Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal and Liferay DXP allow...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki...

Severity 2 Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a...

Severity 2 The organization selector in Liferay Portal and Liferay DXP does not check user permission, which allows remote authenticated users to obtain a list of all organizations. Liferay DXP 7.4...

Liferay DXP 7.4 update 70 through 76 Liferay Portal 7.4.3.70 - 7.4.3.76 Liferay DXP 7.4 update 77 Liferay DXP 7.4 update 77 Liferay Portal 7.4.3.77 Liferay Portal 7.4.3.77 This issue was reported...

Liferay Portal 7.4.3.77 This issue was reported by NDIx Severity 2 Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to...

Severity 2 Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

Severity 1 Pattern Redirects in Liferay Portal and Liferay DXP allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an...

Liferay DXP 7.4 update 67 Liferay Portal 7.4.3.67 Liferay DXP 7.4 update 68 Liferay DXP 7.4 update 68 Liferay Portal 7.4.3.68 Liferay Portal 7.4.3.68 Severity 2 The Dynamic Data Mapping module in...

Liferay Portal 7.3.1 Severity 2 In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create accounts...

Liferay Portal 7.4.3.61 Severity 2 The Object module in Liferay Portal and Liferay DXP does not segment object definition by virtual instance in search which allows remote authenticated users in...

Severity 2 The Object module in Liferay Portal and Liferay DXP does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view...

Severity 2 Liferay DXP 7.3 update 6 Liferay DXP 7.4 update 18 Liferay Portal 7.4.3.18 Liferay DXP 7.3 before update 6 Liferay DXP 7.4 before update 18 Liferay Portal 7.3.1 - 7.3.7 Liferay Portal...

Liferay DXP 7.3 update 24 Liferay DXP 7.3 update 24 Liferay DXP 7.4 update 69 Liferay Portal 7.4.3.69 Liferay Portal 7.4.3.69 Liferay DXP 7.4 update 69 Severity 2 Cross-site scripting (XSS)...

Severity 2 Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

Liferay DXP 7.4 update 50 Liferay Portal 7.4.3.50 Liferay DXP 7.4 update 51 Liferay DXP 7.4 update 51 Liferay Portal 7.4.3.51 Liferay Portal 7.4.3.51 Severity 2 Cross-site scripting (XSS)...

Liferay Portal 7.4.3.53 Severity 2 Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal and Liferay DXP...

Severity 2 Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the Remote App's...

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Severity 2 Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script...

Liferay Portal 7.3.1 Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal, and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.0.0 - 7.0.6 Liferay Portal 7.1.0 - 7.1.3 Liferay Portal 7.2.0 - 7.2.1 Liferay Portal 7.3.0 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.4 Liferay Portal 7.4.3.5 Liferay Portal 7.4.3.5...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.2 does not validate HTTPS certificates used with DDMRESTDataProvider, which allows man-in-the-middle attackers to impersonate,...

Severity 2 The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4 does not properly check permission of form entries, which allows remote authenticated users to view and access all...

Severity 2 Liferay Portal 7.4.3.5 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4. Liferay Portal 7.3.2 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.4 Liferay Portal...

Severity 2 The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4 does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the...

Severity 2 The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36 does not properly check user permission, which allows remote attackers to obtain the history of all friendly URLs that...

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the...

Liferay Portal 7.4.3.36 Liferay Portal 7.4.3.36 Severity 2 Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 allows attackers to create or overwrite existing files...

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 allows remote attackers to consume an excessive amount of server resources via a crafted payload...

Severity 2 Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18 allows attackers to create or overwrite existing files on the filesystem via the...

Liferay Portal 7.4.0 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4. Liferay Portal 7.3.7 Liferay Portal 7.4.0 SQL injection vulnerability in the Friendly...

Severity 2 SQL injection vulnerability in the Layout module's page template upgrade process in Liferay Portal 7.1.3 through 7.4.3.4 allows remote authenticated attackers to execute arbitrary SQL...

SQL injection vulnerability in the Fragment module's PortletPreferences upgrade process in Liferay Portal 7.3.3 through 7.4.3.16 allows attackers to execute arbitrary SQL commands via a...

Liferay Portal 7.3.5 - 7.3.7 Liferay Portal 7.4.0 - 7.4.2 Liferay Portal 7.4.3.4 Liferay Portal 7.4.3.4 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4. This...

Severity 2 Cross-site scripting (XSS) vulnerability in the Portal Search module's Tag Facet widget in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject arbitrary web script or...

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module's <clay:label> tag in Liferay Portal 7.3.2 through 7.4.3.16 allows remote attackers to inject arbitrary web script or HTML via...

Severity 2 Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14 allows remote attackers to inject arbitrary...

Liferay Portal 7.4.3.37 Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject...

Severity 2 Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36 allows remote attackers to inject arbitrary web script or...

Cross-site scripting (XSS) vulnerability in Document Library module's move file interface in Liferay Portal 7.4.3.30 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.25 Liferay Portal 7.4.3.25 There is no fix available for Liferay Portal 7.2 and 7.3. Please upgrade to Liferay Portal 7.4. Severity 2 Cross-site scripting (XSS) vulnerability...

Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2 allows remote attackers to inject arbitrary web script or HTML by sharing an...

Severity 2 Cross-site scripting (XSS) vulnerability in the Announcements module's Announcement and Alerts management page in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject...

Liferay Portal 7.3.5 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.28 Liferay Portal 7.4.3.29 Liferay Portal 7.4.3.29 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4....

This issue was reported by Rafal Lykowski, A1 Digital International Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector input field in Liferay Portal 7.3.0...

Severity 2 The Layout module in Liferay Portal 7.3.3 through 7.4.3.34 does not check user permission before showing the preview of a "Content Page" type page, which allows remote attackers to view...