Known Vulnerabilities

The Commerce component in Liferay Portal and Liferay DXP saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download...

Liferay Portal 7.1.0 through 7.4.3.101 Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35, and older unsupported versions Liferay Portal...

Liferay Portal 7.4.3.88 Liferay DXP 2023.Q3.1 Liferay DXP 7.4 update 88 Liferay DXP 7.3 update 30 This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA Cross-site scripting (XSS)...

Open redirect vulnerability in page administration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex...

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal and Liferay DXP allows remote attackers to access arbitrary CSS and JSS files and load the files...

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1)...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Kaleo Forms Admin in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to...

In Liferay Portal and Liferay DXP (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Severity 1 The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. Liferay DXP 2023.Q3.1...

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.4 through 7.4.3.111 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP...

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal and Liferay DXP allows remote authenticated attackers to view publication comments via the...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay DXP allows remote authenticated attackers to inject...

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay DXP allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow...

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's...

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal and Liferay DXP allows remote authenticated attackers to inject arbitrary web script or HTML...

This issue was reported by foobar7 Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a...

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted...

Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's “Name”...

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal and Liferay DXP allows remote attackers to (1) change user passwords, (2) shut down the server, (3)...

Severity 2 Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal and Liferay DXP allows remote attackers to (1) change user passwords, (2) shut down the...

Liferay Portal 7.4.3.108 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.3 Liferay DXP 2023.Q3.6 Liferay DXP 7.3 Update 36 This issue was reported by NDIx Severity 2 Cross-site request forgery (CSRF)...

Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.4.0 through 7.4.3.111 Liferay Portal 7.3.2 through 7.3.7 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 Liferay DXP 7.3 Liferay...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script or...

Liferay Portal 7.4.3.100 Liferay DXP 2023.Q3.5 Severity 2 The Account Settings page in Liferay Portal and Liferay DXP embeds the user’s hashed password in the page’s HTML source, which allows...

Severity 1 Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

This issue was reported by Barnabás Horváth (T4r0) User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by...

Workaround: Set the following in portal(-ext).properties: http.header.version.verbosity=partial Liferay Portal 7.4.3.26 Liferay DXP 7.4 update 26 Liferay DXP 7.3 update 5 Liferay DXP 7.2 fix pack...

Severity 2 Privilege escalation vulnerability in Wiki in Liferay Portal and Liferay DXP allows remote authenticated users to become the owner of a wiki page by editing the wiki page. Liferay Portal...

This issue was reported by Liferay and milCERT AT Severity 1 Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject...

Liferay Portal 7.4.3.16 Liferay DXP 7.4 update 16 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 19 Severity 2 The Image Uploader module in Liferay Portal and Liferay DXP relies on a request...