Known Vulnerabilities

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay 7.1.0 through 7.1.3, unauthorized users can...

Severity 2 In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the Sign In widget may expose the user's email address and/or password in the page's HTML source. This may allow...

Severity 2 In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the search results from the Search Bar widget uses links that redirect users to HTTP instead of HTTPS. Liferay...

In Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the 'com.liferay.map.openstreetmap' bundle loads the npm package, leaflet, using HTTP instead of HTTPS. Severity 2 Liferay...

Liferay Portal 7.2.1 Liferay Portal 7.2.1 Severity 2 In Liferay Portal 7.2 CE GA1 and possibly earlier unsupported versions, an open redirect vulnerability exists in Account Settings.

In Liferay Portal 7.1 CE GA4, 7.2 CE GA1 and possibly earlier unsupported versions, the Hello World widget reveals the DXP version information. The verbosity of the version information can now be...

Severity 1 In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).   Workaround: Disable JSONWS by setting the portal.property...

Liferay Portal 7.2.1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.2.1 In Liferay...

Severity 2 Liferay Portal 7.2 CE GA1 includes the following libraries which have known vulnerabilities: Apache Commons BeanUtils 1.9.2 Apache Tika 1.20 Jackson Databind 2.9.9 Jasig CAS Client...

Multiple permission issue exists in Liferay Portal 7.2 CE GA1 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay Portal 7.2.1 Liferay...

Liferay Portal 7.2.1 Liferay Portal 7.2.1 Severity 2 In Liferay Portal 7.2 CE GA1, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML...

Liferay Faces Alloy 2.0.2 (source) Liferay Faces Alloy 2.0.2 (source) Liferay Faces Alloy 3.0.2 (source) To install, remove any old versions of Liferay Faces Alloy and place the fixed version of...

To install, remove any old versions of Liferay Faces Alloy from your WAR and place the new version of Liferay Faces Alloy in each of your Liferay Faces WARs in the WEB-INF/lib directory. Make sure...

Binary patch (source) To install, place patch in each of your Liferay Faces WARs in the WEB-INF/lib directory. The dependency can be included via Maven, Gradle, or Ivy. In a Maven project pom.xml...

Severity 1 Liferay Portal 7.1.0 and earlier is vulnerable to remote code execution using Web Content/DDM templates. Workaround: Review permissions and do not grant untrusted users permissions to...

When defining permissions for a role in Liferay Portal 7.1 CE GA3 and older unsupported versions, some permissions may be selected by default. This may unintentionally lead to some users receiving...

Severity 2 In Liferay Portal 7.1 CE GA3 and older unsupported versions, an open redirect vulnerability exist in the Language Selector widget. Liferay Portal 7.1.3 Liferay Portal 7.1.3

Liferay Portal 7.1.3 In Liferay Portal 7.1 CE GA3 and older unsupported versions, a path traversal vulnerability exists in poller. Severity 2 Liferay Portal 7.1.3

Severity 2 Liferay Portal 7.1 CE GA3 includes the following libraries which have known vulnerabilities: Apache Batik 1.7 Apache HttpClient 4.1 Apache PDFBox 2.0.9 Apache Tika 1.18 c3p0 0.9.5.2...

In Liferay Portal 7.1 CE GA3, multiple cross-site scripting (XSS) vulnerabilities exists which allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 Liferay Portal...

Liferay Portal 7.1.3 Liferay Portal 7.1.3 Severity 1 Liferay Portal 7.1 CE GA3 and older unsupported versions and older unsupported versions is vulnerable to Server-Side Request Forgery (SSRF) via...

In Liferay Portal 7.1 CE GA3 and older unsupported versions, Message Boards post that are marked as "Anonymous" can be associated with the user who posted it. This issue exists because of an...

Severity 2 In Liferay Portal 7.1 CE GA3 and older unsupported versions, a company's secret key is accessible via templates. Liferay Portal 7.1.3 Liferay Portal 7.1.3

Liferay Portal 7.1.3 Liferay Portal 7.1.3 Severity 2 In Liferay Portal 7.1 CE GA3 and older unsupported versions, user password hashes and password reminder answers may be appear in the logs if a...

Multiple permission issue exists in Liferay Portal 7.1 CE GA3 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay Portal 7.1.3 Liferay...

Severity 2 Message boards post that are marked as "Anonymous" can be associated with the user who posted it. Liferay Portal 7.1.2 Liferay Portal 7.1.2

Severity 2 Liferay Portal 7.1.2 Liferay Portal 7.1.2 An open redirect vulnerability exist in Liferay Portal 7.1 CE with the <liferay-ui:header> tag.

Severity 2 In Liferay Portal 7.1 CE, an unexpected error may produce an overly verbose error message that is visible to end users. Liferay Portal 7.1.2 Liferay Portal 7.1.2

User login in Liferay Portal 7.1 CE is vulnerable to Cross-Site Request Forgery (CSRF) attacks. Severity 2 Liferay Portal 7.1.2 Liferay Portal 7.1.2

Severity 1 A bug in Liferay Portal CE 7.1 CE allows any authenticated user to change the password of another user, including an administrator. Once a user has access to an administrator account, a...

Liferay Portal 7.1.2 Multiple permission issue exists in Liferay Portal 7.1 CE GA2 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 Liferay...

Severity 2 A stored cross-site scripting (XSS) vulnerability exits with the image resolution information in Adaptive Media in Liferay CE 7.1 GA2. Liferay Portal 7.1.2 Liferay Portal 7.1.2

Severity 1 Liferay Portal 7.1.0 and earlier is vulnerable to remote code execution (RCE) via deserialization of JSON data. Liferay Portal 7.1.1 Liferay Portal 7.1.1 March 2020 source patch for...

Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page. March 2020 source patch for Liferay...

Severity 2 The password reset token may be leaked to 3rd party website in Liferay Portal 7.1 CE. Out of the box, the password reset token is not leaked to any 3rd party website. However, if the...

The default configuration for Liferay Portal 7.0.0 through 7.1.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content. Workaround: 1....

Liferay Portal 7.1.1 Liferay Portal 7.1.1 Severity 2 In Liferay Portal 7.1 CE GA1, users are normally required to enter their current password if they want to change their password. However, the...

Notification emails sent to users in Liferay Portal 7.1 CE GA1 is vulnerable to HTML injection. An attacker can exploit this vulnerability for phishing attacks. Severity 2 Liferay Portal 7.1.1...

Severity 2 Liferay Portal 7.1.0 and earlier is vulnerable to a Server-Side Request Forgery (SSRF) via Web Content templates and Application Display Templates (ADT) which may allow an attacker...

Severity 2 Liferay Portal 7.1.1 Liferay Portal 7.1.1 An LDAP injection vulnerability exits in Liferay 7.1 CE GA1 with user group names.

Severity 2 Multiple permission issue exists in Liferay Portal 7.1 CE GA1 which allows users to perform actions on resources which they are not authorized to perform. Liferay Portal 7.1.1 Liferay...

Severity 2 In Liferay Portal 7.1 CE GA1, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Liferay Portal 7.1.1 Liferay...

An open redirect vulnerability exits with Blogs RSS and tunnel-web in Liferay Portal 7.1 CE GA1. Severity 2 Liferay Portal 7.1.1 Liferay Portal 7.1.1 This issue was reported by Tiago Sintra

Liferay Portal 7.1.1 Liferay Portal 7.1.1 This issue was reported by Osama Mahmood Severity 2 In Liferay Portal 7.1 CE GA1, other sessions are not terminated when a user changes their password.

In LIferay Portal 7.0 CE GA7, a theoretical OS command injection vulnerability exists in SendmailHook. Severity 2 Liferay Portal 7.1.0 7.0.6-ce-ga7-security-1.0 patch (source) By default, the...

Severity 2 The CSV files that are exported by Liferay Portal 7.0 CE GA7 (user export, DDL export and Form export) is susceptible to CSV injection if the CSV file is opened by some spreadsheet...

Liferay Portal 7.1.0 7.0.6-ce-ga7-security-1.0 patch (source) Liferay Portal 7.1.0 In Liferay Portal 7.0 CE GA7, A cross-site request forgery (CSRF) vulnerability exist with comments. An attacker...

Severity 2 In Liferay Portal 7.0 CE GA7, the password for a Form's REST data provider does not obfuscate the password leading to password disclosure. Liferay Portal 7.1.0 Liferay Portal 7.1.0...

In Liferay Portal 7.0 CE GA7, a flaw in the code used to prevent open redirects allows some crafted URLs to circumvent the open redirect prevention logic. Severity 2 Liferay Portal 7.1.0...

Liferay Portal 7.1.0 Liferay Portal 7.1.0 7.0.6-ce-ga7-security-1.0 patch (source) Severity 2 In Liferay Portal 7.0 CE GA7, blogs titles are visible to users without the appropriate view...

Some vulnerabilities reported by Gergő Czuczor Severity 2 In Liferay Portal 7.0 CE GA7, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or...

Multiple cross-site request forgery (CSRF) vulnerabilities allow remote attackers to execute unwanted actions in the portal. Workaround: Remove the following lines from the...

Severity 1 In Liferay Portal 7.0.5 and earlier, the Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet. Patched versions of the portal will...

Liferay Portal 7.0.6 The portal may be vulnerable to BREACH attacks if the portal is using HTTPS and compression (GZip) is enabled. Workaround: Disable compression by setting...

Severity 2 The "doAsUserId" parameter used by Administrators for impersonating another user can be leaked to third party sites. Liferay Portal 7.0.6 Liferay Portal 7.0.6

The asset tag API leaks information about the user who created the asset tag. Severity 2 Liferay Portal 7.0.6 Liferay Portal 7.0.6

Liferay Portal 7.0.6 Liferay Portal 7.0.6 Severity 2 Multiple permission issue allows users to perform actions on resources which they are not authorized to perform.

A reflected cross-site scripting (XSS) vulnerability exist on the JSONWS API page. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page....

Severity 2 Apache Commons Email is vulnerable to SMTP header injection (CVE-2017-9801). Liferay Portal is not vulnerable, however, custom modules/apps using the Commons Email JAR bundled with the...

Liferay Portal 7.0.5 Liferay Portal 7.0.5 Severity 2 Content spoofing is possible via URL manipulation in applications that suppor tags. An attacker can potentially exploit this security...