Known Vulnerabilities

Blogs in Liferay Portal and Liferay DXP does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. Liferay Portal 7.4.0...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 The Document Library and the Adaptive Media modules in Liferay Portal and Liferay DXP uses an incorrect cache-control header, which allows local...

Liferay Portal and Liferay DXP stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s...

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal and Liferay DXP allows local users to view user email address in the log files. Liferay Portal 7.0.0...

The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial...

Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.5 Liferay DXP 7.4 GA through U92 Liferay DXP 7.3 GA through U34, and older unsupported...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.1 Liferay DXP 2023.Q3.5 Liferay DXP 7.3 update 36 Improper Authentication in Liferay Portal and Liferay DXP allows...

Liferay Portal 7.4.3.120 Liferay DXP 2024.Q1.6 Liferay DXP 2024.Q2.0 Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.10 Liferay DXP...

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to register a server license via the 'orderUuid'...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API. Liferay Portal...

Liferay Portal 7.4.3.88 Liferay DXP 2023.Q3.1 Liferay DXP 7.4 update 88 Liferay DXP 7.3 update 30 This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA Cross-site scripting (XSS)...

Open redirect vulnerability in page administration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. Liferay DXP 2023.Q3.1...

Liferay DXP 7.3 GA1 Liferay Portal 7.3.1 In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create...

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle...

Liferay Portal 7.2.1 Liferay Portal 7.0.0 through 7.2.0 does not check if a portlet mode is valid, which allows remote attackers to disable the product menu via supplying an invalid portlet mode in...

The portal property, auth.login.prompt.enabled defaults to true in Liferay Portal 7.0.0 through 7.4.2 which allows attackers to enumerate and discover the existence of screen names, site names, and...

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1 allows remote attackers to inject arbitrary web script...

The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by...

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

In Liferay Portal 7.0.6, 7.1.3, 7.2.0, and possibly earlier unsupported versions, the MembershipRequestService APIs can be used in a denial-of-service attack on the mail server. Severity 2 Liferay...

Cross-site scripting (XSS) vulnerability in the Forms and Workflow module's edit workflow configuration in Liferay Portal 7.0.0 through 7.0.6 allows remote attackers to inject arbitrary web script...

The Portal Workflow module in Liferay Portal 6.2.2 through 7.3.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database...

The Dynamic Data Mapping module in Liferay Portal 7.3.2 and earlier, do not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

In Liferay Portal 7.3.0 and earlier, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password...

Cross-site scripting (XSS) vulnerability in the asset module in Liferay Portal 7.0.0 through 7.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1)...

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by...

Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the title of a modal...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1 allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter....

The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator...

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5 allows remote attackers to inject arbitrary web script or...

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or...

The JSON web services in Liferay Portal 7.3.4 and earlier, the JSON web service may contain overly verbose error messages, which allows remote attackers to use the contents of error messages to...

Liferay Portal 7.x before 7.2.1, is vulnerable to Server-Side Request Forgery (SSRF) via DDM REST Data Provider which allows an attacker access to sensitive information. This issue exists because...

Liferay Portal 7.2.1 June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.1 and earlier,...

Liferay Portal 7.3.2 June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay...

Liferay Portal 7.0.0 through 7.0.6 does not properly verify permission when creating pages which may lead to attackers changing portal settings and gaining access to sensitive information. Severity...

Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Severity 1 Liferay Portal 7.1.1 March 2020 source patch...

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The RSS portlet and FuseMail...

Remote code execution vulnerability in DDM template in Liferay Portal 7.0.0 and earlier allows remote authenticated users with permission to create/edit templates to create templates that can run...

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct...

Liferay Portal 7.0.1 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Review permissions settings and do...

The BaseBSFPortlet class contains a path traversal vulnerability via URL manipulation. Liferay Portal 7.0 CE does not use the BaseBSFPortlet class out of the box. However, developers extending...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

In Liferay Portal 7.2.0 and earlier contains a remote code execution (RCE) vulnerability via JSON web services (JSONWS).   Workaround: Disable JSONWS by setting the portal.property...

Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page. March 2020 source patch for Liferay...

Liferay Portal 7.1.0 and earlier is vulnerable to remote code execution (RCE) via deserialization of JSON data. Severity 1 Liferay Portal 7.1.1 March 2020 source patch for Liferay Portal 7.0.6....

Liferay Portal 7.1.0 and earlier contains a path traversal vulnerability in Web Content templates and Application Display Templates (ADT). The vulnerability allows any user with permission to...

The default configuration for Liferay Portal 7.0.0 through 7.1.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content. Workaround: 1....

Liferay Portal 7.1.0 and earlier is vulnerable to a Server-Side Request Forgery (SSRF) via Web Content templates and Application Display Templates (ADT) which may allow an attacker access to...

In LIferay Portal 7.0 CE GA7, a theoretical OS command injection vulnerability exists in SendmailHook. Severity 2 Liferay Portal 7.1.0 7.0.6-ce-ga7-security-1.0 patch (source) By default, the...

This issue was reported by Juho Myllys The CSV files that are exported by Liferay Portal 7.0 CE GA7 (user export, DDL export and Form export) is susceptible to CSV injection if the CSV file is...

In Liferay Portal 7.0 CE GA7, A cross-site request forgery (CSRF) vulnerability exist with comments. An attacker can potentially exploit this security vulnerability to add comments on behalf of a...