Known Vulnerabilities

Severity 1 Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via crafted...

Severity 2 Liferay Portal and Liferay DXP returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote...

Liferay Portal 7.4.0 through 7.4.3.11 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 8 Liferay DXP 7.3...

Severity 2 The IFrame widget in Liferay Portal and Liferay DXP does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self...

Severity 1 The Document and Media widget In Liferay Portal and Liferay DXP, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a...

Severity 2 A Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay DXP and Liferay Portal allows remote attackers to accept the site's terms of use via social...

Liferay Portal 7.3.6 Liferay DXP 7.3 service pack 1 Liferay DXP 7.2 fix pack 17 This issue was reported by Duracell80 Severity 2 Liferay Portal and Liferay DXP does not obfuscate password reminder...

Severity 2 Account lockout in Liferay Portal and Liferay DXP does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal allows remote attackers to inject arbitrary web script or HTML via the...

Liferay DXP 7.4 update 86 Liferay Portal 7.4.3.86 This issue was reported by Amin ACHOUR Severity 1 Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay...

Severity 1 Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal and Liferay DXP allow remote...

Severity 2 Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

Severity 2 Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via...

Liferay DXP 7.3 before update 33 Liferay DXP 7.4 before update 92 Liferay Portal 7.3.5 through 7.4.3.91 Liferay DXP 7.4 update 92 Liferay Portal 7.4.3.92 This issue was reported by Michael Oelke...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki...

Severity 2 Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a...

Severity 2 The organization selector in Liferay Portal and Liferay DXP does not check user permission, which allows remote authenticated users to obtain a list of all organizations. Liferay DXP 7.4...

Severity 1 Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary code in the...

This issue was reported by NDIx Severity 2 Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to...

Severity 2 Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

Severity 1 Pattern Redirects in Liferay Portal and Liferay DXP allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an...

The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file...

Liferay DXP 7.3 GA1 Liferay Portal 7.3.1 In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create...

The Object module in Liferay Portal and Liferay DXP does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object...

Liferay DXP 7.4 before update 49 Liferay Portal 7.4.3.4 - 7.4.3.48 Liferay DXP 7.4 update 49 Liferay Portal 7.4.3.49 The Object module in Liferay Portal and Liferay DXP does properly isolate...

Severity 2 Liferay DXP 7.3 before update 6 Liferay DXP 7.4 before update 18 Liferay Portal 7.3.1 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.17 Liferay DXP 7.3 update 6 Liferay DXP 7.4 update 18 Liferay...

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Liferay DXP 7.4 update 51 Liferay Portal 7.4.3.51 Liferay DXP 7.4 update 50 Liferay Portal 7.4.3.50 Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in...

Multiple cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal and Liferay DXP allow remote attackers to inject...

Liferay DXP 7.4 before update 31 Liferay Portal 7.4.0 - 7.4.3.30 Liferay DXP 7.4 update 31 Liferay Portal 7.4.3.31 Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay...

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Severity 2 Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script...

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal, and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.2 does not validate HTTPS certificates used with DDMRESTDataProvider, which allows man-in-the-middle attackers to impersonate,...

Liferay Portal 7.1.0 - 7.1.3 Liferay Portal 7.2.0 - 7.2.1 Liferay Portal 7.3.0 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.4 Liferay Portal 7.4.3.5 There is no fix available for Liferay Portal 7.1, 7.2...

Insecure direct object reference vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4 allows remote authenticated users to view and access form entries via the...

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4 does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the...

Liferay Portal 7.4.3.37 This issue was reported by 4rth4s The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36 does not properly check user permission, which allows remote attackers...

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the...

Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious...

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 allows remote attackers to consume an excessive amount of server resources via a crafted payload...

Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18 allows attackers to create or overwrite existing files on the filesystem via the installation of a...

Liferay Portal 7.3.7 Liferay Portal 7.4.0 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4. SQL injection vulnerability in the Friendly Url module's upgrade...

SQL injection vulnerability in the Layout module's page template upgrade process in Liferay Portal 7.1.3 through 7.4.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via...

SQL injection vulnerability in the Fragment module's PortletPreferences upgrade process in Liferay Portal 7.3.3 through 7.4.3.16 allows attackers to execute arbitrary SQL commands via a...

Liferay Portal 7.4.3.4 There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4. This issue was reported by Duy Huynh Cross-site scripting (XSS) vulnerability in the...

Cross-site scripting (XSS) vulnerability in the Portal Search module's Tag Facet widget in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module's <clay:label> tag in Liferay Portal 7.3.2 through 7.4.3.16 allows remote attackers to inject arbitrary web script or HTML via...

Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14 allows remote attackers to inject arbitrary web script or...

Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.0 - 7.4.3.36 Liferay Portal 7.4.3.37 Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36 allows remote...

Cross-site scripting (XSS) vulnerability in Document Library module's move file interface in Liferay Portal 7.4.3.30 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML...

Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24 allows remote attackers to inject arbitrary web script or HTML via a...

Liferay Portal 7.4.3.4 There is no fix available for Liferay Portal 7.2 and 7.3. Please upgrade to Liferay Portal 7.4. Cross-site scripting (XSS) vulnerability in the Sharing module's user...

Cross-site scripting (XSS) vulnerability in the Announcements module's Announcement and Alerts management page in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject arbitrary web...

This issue was reported by Rafal Lykowski, A1 Digital International Cross-site scripting (XSS) vulnerability in the Document Library module in Liferay Portal 7.3.5 through 7.4.3.28 allows remote...

Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector input field in Liferay Portal 7.3.0 through 7.4.2 allows remote attackers to inject arbitrary web script or...

The Layout module in Liferay Portal 7.3.3 through 7.4.3.34 does not check user permission before showing the preview of a "Content Page" type page, which allows remote attackers to view unpublished...