Known Vulnerabilities

Severity 2 Liferay Portal before 7.3.3 does not properly restrict access to the sitemap.xml of staged public pages, which allows remote attackers to access sitemap.xml and learn of the existence...

The Calendar widget records views by unauthenticated users in Liferay Portal 7.2.0 through 7.3.0, which allows remote attackers who view a Calendar widget to prevent changes to Instance Settings...

Liferay Portal 7.3.1 Liferay Portal 7.3.1 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. Severity 2...

Some issues reported by Arun Das Severity 2 Liferay Portal 7.2.1, 7.3.2 and possibly earlier unsupported versions includes the following libraries which have known vulnerabilities: Netty 4.1.42...

In Liferay Portal 7.1.0 through 7.2.1, an open redirect vulnerability exist with the 'redirect' parameter in System Settings' search. Severity 2 September 2020 source patch for Liferay Portal...

The OAuth module in Liferay Portal 7.1.0 through 7.2.1 contains an authentication flaw which allows an attacker with a valid OAuth2 token to access the REST application APIs in a different Portal...

Stored cross-site scripting (XSS) vulnerability in the Document Library module in Liferay Portal 7.1.0 through 7.2.1 allows remote attackers to inject arbitrary web script or HTML via the user's...

In Liferay Portal before 7.3.3, an administrator can limit the type of images that can be used as a blog cover image. However, this protection can be circumvented via HTTP manipulation to upload...

Severity 2 Multiple cross-site scripting (XSS) vulnerabilities in the fragment module in Liferay Portal 7.1.0 through 7.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1)...

Liferay Portal 7.3.3 The login module in Liferay Portal before 7.3.3 will indicate whether an email address or screen name is in the system or not, which allows remote attackers to enumerate users...

Severity 1 Liferay Portal before 7.3.1 does not decode a URL before determining if the resource should be served, which allows remote attackers to access restricted portlet resources (e.g., files...

The staging module in Liferay Portal before 7.3.2 does not properly check user permission, which allows remote authenticated users to delete a publishing process via the staging menu. Severity 2...

Liferay Portal 7.3.1 Liferay Portal 7.3.1 Severity 2 Liferay Portal 7.3.0 does not properly check user permissions, which allows remote authenticated users to view user groups that are members of a...

Liferay Portal 7.3.0 and 7.3.1 includes the following libraries which have known vulnerabilities: Apache POI 4.1.0 Severity 2 Liferay Portal 7.3.2 Liferay Portal 7.3.2

Severity 2 Cross-site scripting (XSS) vulnerability in the portal workflow module in Liferay Portal 7.3.0 allows remote attackers to inject arbitrary web script or HTML via the user name parameter....

Liferay Portal 7.3.1 Liferay Portal 7.3.1 June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source...

Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the existence of a private site and the site name is disclosed in the Blogs widget's RSS feed. Severity 2 Liferay Portal 7.2.1...

Severity 2 Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, any user can display a unconfigured instance of an instantiable widget. Liferay Portal 7.2.1 Liferay Portal 7.2.1...

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

In Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, exporting Page Fragments and Page Fragment Collections can overwrite files in the filesystem with the following filenames:...

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

Liferay Portal 7.1.3 and 7.2.1 includes the following libraries which have known vulnerabilities: Apache Commons Compress 1.18 Bouncy Castle Provider 1.45 c3p0 0.9.5.3 Jackson Databind 2.9.9.3...

Severity 2 Liferay Portal 7.2.1 June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.2.1 In...

Some vulnerabilities reported by Casey Erdmann, Giuseppino Cadeddu and Simone Cinti Severity 2 Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.1.3, 7.2.1 and possibly...

Liferay Portal 7.x before 7.2.1, is vulnerable to Server-Side Request Forgery (SSRF) via DDM REST Data Provider which allows an attacker access to sensitive information. This issue exists because...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the JAX-RS API does not check for a CSRF token, which allows remote attackers to perform Cross-site request forgery (CSRF)...

Severity 1 In Liferay Portal 7.2.1 and earlier, the 'Test LDAP Connection' feature can be exploited to obtain the LDAP password. Liferay Portal 7.2.1 Liferay Portal 7.2.1 June 2020 source patch for...

Liferay Portal 7.2.1 In Liferay Portal 7.2.1 and earlier, a Java deserialization vulnerability exists when the portal is clustered. Communication between the nodes can be intercepted and modified....

Severity 1 In Liferay Portal before 7.3.2, the template API does not restrict user access to to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted...

Severity 1 Liferay Portal 7.x before 7.3.2, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data...

Liferay Portal 7.1.3 and possibly earlier unsupported versions is bundled with with Apache Tika 1.20 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay Portal...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1.3 and possibly earlier unsupported...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with withJasig CAS Client 3.1.12 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with with Jackson Databind 2.9.8 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.1.3 and possibly earlier unsupported...

Liferay Portal 7.2.1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.2.1 This issue was...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the 'com.liferay.frontend.js.lodash.web' bundle includes Lodash 4.17.4 which has known vulnerabilities. Severity 2 March 2020...

Liferay Portal 7.0.0 through 7.0.6 does not properly verify permission when creating pages which may lead to attackers changing portal settings and gaining access to sensitive information. Severity...

Severity 1 Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Liferay Portal 7.1.1 Liferay Portal 7.1.1...

In Liferay Portal 7.2.0 and earlier, users can update their password via JSONWS without supplying their current password. An attacker can exploit this to modify a user password by leveraging XSS,...

Liferay Portal 7.0.3 Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Severity 1 The...

Liferay Portal 6.2.5 and earlier does not properly check permissions, which allows remote authenticated users to impersonate, edit, or delete administrators. Workaround: Remove the User.DELETE,...

Remote code execution vulnerability in DDM template in Liferay Portal 7.0.0 and earlier allows remote authenticated users with permission to create/edit templates to create templates that can run...

Denial-of-service (DoS) vulnerability in document library in Liferay Portal 6.2.5 and earlier allows remote attackers to cause an OutOfMemoryError by uploading a crafted PDF file. Workaround: Use...

Remote file disclosure vulnerability in DDM templates in Liferay Portal 6.2.5 and earlier allows remote authenticated users with permission create/edit templates to view any files that are readable...

March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The IFrame portlet in Liferay Portal 6.2.5 and earlier...

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct...

Severity 1 Denial-of-service vulnerability in DDM templates in Liferay Portal before 7.0.1 allows attackers to create templates with an infinite loop via embedded portlets. Liferay Portal 7.0.1...

The BaseBSFPortlet class contains a path traversal vulnerability via URL manipulation. Liferay Portal 7.0 CE does not use the BaseBSFPortlet class out of the box. However, developers extending...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the LDAP credentials are transmitted in plain text. Severity 2 March 2020 source patch for Liferay Portal 7.1.3. Details for...

Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the 'X-Forwarded-Host' HTTP header can be used to bypass the whitelisted hosts provided in the portal property...

Liferay Portal 7.1.3 and earlier is vulnerable to remote code execution via deserialization of JSON data. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. The open redirect protection component in Liferay Portal...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the user's password is visible on the screen immediately after the account creation process. Severity 2 March 2020 source...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1 CE GA4 and possibly earlier...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, users may be tricked into creating an account with an OpenID provider. If the OpenID provider is not trustworthy, an attacker...

In Liferay Portal 7.1 CE GA4, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 March 2020 source patch for...

Severity 2 Liferay Portal 7.1.1 Liferay Portal 7.1.1 Liferay Portal 7.1 GA1 and possibly earlier unsupported versions truncates the regular expression field in a password policy. This may result in...

Multiple permission issue exists in Liferay Portal 7.1 CE GA4 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 March 2020 source patch for...