Known Vulnerabilities

Blogs in Liferay Portal and Liferay DXP does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. Liferay Portal 7.4.0...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 The Document Library and the Adaptive Media modules in Liferay Portal and Liferay DXP uses an incorrect cache-control header, which allows local...

By default, Liferay Portal and Liferay DXP is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by...

Password enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. Liferay Portal...

Liferay Portal and Liferay DXP stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s...

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal and Liferay DXP allows local users to view user email address in the log files. Liferay Portal 7.0.0...

Liferay Portal 7.3.7 through 7.4.3.92 Liferay DXP 2023.Q3.1 through 2023.Q3.4 Liferay DXP 7.4 Liferay DXP 7.3 SP3 through U36 Liferay Portal 7.4.3.104 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.0...

The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial...

Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.5 Liferay DXP 7.4 GA through U92 Liferay DXP 7.3 GA through U34, and older unsupported...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.1 Liferay DXP 2023.Q3.5 Liferay DXP 7.3 update 36 Improper Authentication in Liferay Portal and Liferay DXP allows...

Liferay Portal and Liferay DXP shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to...

Liferay Portal 7.4.3.120 Liferay DXP 2024.Q1.6 Liferay DXP 2024.Q2.0 Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.10 Liferay DXP...

In Liferay Portal and Liferay DXP the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit...

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to register a server license via the 'orderUuid'...

Liferay Portal 7.3.0 through 7.4.3.111 Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35 Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay...

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35, and older unsupported...

In Liferay Portal and Liferay DXP, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site...

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a "Rich Text"...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

This issue was reported by milCERT AT and Lucas Machado from Devoteam Cyber Trust A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal and...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary web script or HTML via Dispatch name field. Liferay Portal 7.4.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API. Liferay Portal...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q2.0 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.6 Liferay DXP 2023.Q3.9 Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions Liferay DXP...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a...

This issue was reported by foobar7 Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal and Liferay DXP allows remote authenticated attackers to view the edit...

This issue was reported by foobar7 Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal and Liferay DXP allows remote authenticated users to from one virtual...

This issue was reported by argon21 Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web...

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users in one virtual instance to assign an organization to a user in a different...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q3.9 This issue was reported by foobar7 Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal and Liferay...

Liferay Portal 7.1.0 through 7.4.3.101 Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35, and older unsupported versions Liferay Portal...

Liferay Portal 7.4.3.88 Liferay DXP 2023.Q3.1 Liferay DXP 7.4 update 88 Liferay DXP 7.3 update 30 This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA Cross-site scripting (XSS)...

Open redirect vulnerability in page administration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. Liferay DXP 2023.Q3.1...

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Liferay Portal 7.4.3.108 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.3 Liferay DXP 2023.Q3.6 Liferay DXP 7.3 Update 36 This issue was reported by NDIx Severity 2 Cross-site request forgery (CSRF)...

Liferay Portal 7.4.0 through 7.4.3.111 Liferay Portal 7.3.2 through 7.3.7 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 Liferay DXP 7.3 Liferay...

Severity 1 Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

This issue was reported by Barnabás Horváth (T4r0) User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by...

Workaround: Set the following in portal(-ext).properties: http.header.version.verbosity=partial Liferay Portal 7.4.3.26 Liferay DXP 7.4 update 26 Liferay DXP 7.3 update 5 Liferay DXP 7.2 fix pack...

Severity 2 Privilege escalation vulnerability in Wiki in Liferay Portal and Liferay DXP allows remote authenticated users to become the owner of a wiki page by editing the wiki page. Liferay Portal...

This issue was reported by Liferay and milCERT AT Severity 1 Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject...

Liferay Portal 7.4.3.16 Liferay DXP 7.4 update 16 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 19 Severity 2 The Image Uploader module in Liferay Portal and Liferay DXP relies on a request...

Severity 2 In Liferay Portal and Liferay DXP, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML...

Severity 2 HtmlUtil.escapeRedirect in Liferay Portal and Liferay DXP can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via...

Liferay Portal 7.4.0 through 7.4.3.18 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 19 Liferay DXP 7.3...

Severity 2 The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal and Liferay DXP defaults to a low work factor, which allows attackers to quickly crack password hashes....

Severity 2 XXE vulnerability in Liferay Portal and Liferay DXP allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via...

Severity 2 The Journal module in Liferay Portal and Liferay DXP grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI...

Severity 2 Liferay Portal and Liferay DXP does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.5 Liferay DXP 7.4 update 1 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 17 Severity 1 Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2...

Severity 2 The Calendar module in Liferay Portal and Liferay DXP does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before update 4 Liferay DXP 7.2...