Known Vulnerabilities

Severity 2 Liferay Portal 7.4.3.37 Liferay Portal 7.4.3.12 - 7.4.3.36 Liferay Portal 7.4.3.37 The Translation module in Liferay Portal 7.4.3.12 through 7.4.3.36 does not check permissions before...

This issue was reported by Jakub Zoczek, Securitum Severity 2 The Remote App module in Liferay Portal 7.4.3.4 through 7.4.3.8 does not check if the origin of event messages it receives matches the...

Liferay Portal 7.0.0 through 7.2.0 does not check if a portlet mode is valid, which allows remote attackers to disable the product menu via supplying an invalid portlet mode in the URL. Severity 2...

Severity 2 The portal property, auth.login.prompt.enabled defaults to true in Liferay Portal 7.0.0 through 7.4.2 which allows attackers to enumerate and discover the existence of screen names, site...

Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of...

Severity 2 Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the...

Severity 2 Cross-site scripting (XSS) vulnerability in the Fragment modules in Liferay Portal 7.4.3.4 allows remote attackers to inject arbitrary web script or HTML via parameters with a `filter_`...

Liferay Portal 7.4.3.4 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for...

Severity 2 Cross-site scripting (XSS) vulnerability in the <liferay-asset:asset-tags-selector> tag in Liferay Portal 7.3.3 through 7.4.2 allows remote attackers to inject arbitrary web script or...

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1 allows remote attackers to inject arbitrary web script...

Liferay Portal 7.3.1 - 7.3.7 Liferay Portal 7.4.0 - 7.4.2 Liferay Portal 7.4.3.4 Liferay Portal 7.4.3.4 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches...

Liferay Portal 7.3.7 through 7.4.1 allows remote authenticated users to view sites/groups via the user's site membership assignment UI. Because user permission does not properly check when...

Severity 2 Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to...

Severity 2 Liferay Portal 7.4.1 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.3.3 -...

This issue was reported by Duy Huynh Severity 2 Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0 allows remote attackers...

Severity 2 The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating...

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add...

Liferay Portal 7.3.7 Liferay Portal 7.3.7 Severity 2 Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

Severity 2 Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6 allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.3.7 Liferay Portal 7.3.7 Liferay Portal 7.4.1 August 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal...

Liferay Portal 7.2.1 Liferay Portal 7.2.1 In Liferay Portal 7.0.6, 7.1.3, 7.2.0, and possibly earlier unsupported versions, the MembershipRequestService APIs can be used in a denial-of-service...

Severity 2 Cross-site scripting (XSS) vulnerability in the Forms and Workflow module's edit workflow configuration in Liferay Portal 7.0.0 through 7.0.6 allows remote attackers to inject arbitrary...

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via...

Liferay Portal 7.3.6 Liferay Portal 7.3.6 Severity 2 Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 allow remote authenticated users to execute arbitrary SQL commands via the...

Severity 2 Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via...

The Portal Workflow module in Liferay Portal 6.2.2 through 7.3.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database...

Severity 2 Cross-site scripting (XSS) vulnerability in the portlet configuration module in Liferay Portal 7.1.0 through 7.3.2 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.3 The Dynamic Data Mapping module in Liferay Portal 7.3.2 and earlier, do not properly check user permissions, which allows remote attackers with the forms "Access in Site...

Severity 2 The Layout module in Liferay Portal 6.2.0 through 6.2.5, 7.1.0 through 7.3.2 and earlier exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and...

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, allows remote attackers to enumerate user email addresses via the forgot password functionality. The portal.property...

Liferay Portal 7.3.1 Liferay Portal 7.3.1 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix...

Cross-site scripting (XSS) vulnerability in the layout module in Liferay Portal 7.2.0 and 7.2.1 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the asset module in Liferay Portal 7.0.0 through 7.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1)...

Severity 2 Cross-site scripting (XSS) vulnerability in document library module in Liferay Portal 7.3.0 through 7.3.4 allow remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.5 Liferay Portal 7.3.5 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. Severity 2...

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by...

Severity 2 Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the title of a...

Severity 2 Liferay Portal 7.3.4 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.3.4 The...

Severity 2 Cross-site scripting (XSS) vulnerability in Web Content Display in Liferay Portal 7.1.1 through 7.3.3 allows remote attackers to inject arbitrary web script or HTML via web content...

Cross-site scripting (XSS) vulnerability in the journal module in Liferay Portal 7.3.0 through 7.3.3 allows remote attackers to inject arbitrary web script or HTML via the...

Severity 2 The Portal Workflow module in Liferay Portal 7.3.2 and earlier, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions...

Liferay Portal 7.3.3 This issue was reported by Prajwal Khante Liferay Portal 7.2.0 through 7.3.2 allows access to Cross-origin resource sharing (CORS) protected resources if the user is only...

Severity 2 Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1 allows remote attackers to redirect users to arbitrary external URLs via the 'redirect'...

Severity 2 The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Severity 2 The Layout module in Liferay Portal 7.1.0 through 7.3.1 does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the...

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4 and 7.3.5 allow remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.6 Liferay Portal 7.3.6 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. Severity 2...

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5 allows remote attackers to inject arbitrary web script or...

Severity 2 The Portal Store module in Liferay Portal 7.0.0 through 7.3.5 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle...

Severity 2 Liferay Portal 7.3.6 Liferay Portal 7.3.6 Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 allows remote attackers to...

Severity 2 Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5 allows remote attackers to inject arbitrary web...

Severity 2 The SimpleCaptcha implementation in Liferay Portal 7.3.4 and 7.3.5 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions...

The JSON web services in Liferay Portal 7.3.4 and earlier, the JSON web service may contain overly verbose error messages, which allows remote attackers to use the contents of error messages to...

Liferay Portal 7.3.6 Liferay Portal 7.3.6 Severity 2 The Data Engine module in Liferay Portal 7.3.0 through 7.3.5 does not check permissions in DataDefinitionResourceImpl....

May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.0 and 7.2.1, a reflected cross-site...

The redirect module in Liferay Portal 7.3.2 does not limit the number of URLs that result in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by...

Severity 1 Liferay Portal before 7.3.3 does not restrict the size of ‘multipart/form-data’ encoded form post, which allows remote authenticated users to conduct denial-of-service attacks by...

Liferay Portal 7.3.3 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.3.3 Cross-site...