Known Vulnerabilities

Liferay Portal 7.4.3.12 - 7.4.3.36 Liferay Portal 7.4.3.37 The Translation module in Liferay Portal 7.4.3.12 through 7.4.3.36 does not check permissions before allowing a user to export a web...

Liferay Portal 7.4.3.9 This issue was reported by Jakub Zoczek, Securitum The Remote App module in Liferay Portal 7.4.3.4 through 7.4.3.8 does not check if the origin of event messages it receives...

Liferay Portal 7.2.1 Liferay Portal 7.0.0 through 7.2.0 does not check if a portlet mode is valid, which allows remote attackers to disable the product menu via supplying an invalid portlet mode in...

The portal property, auth.login.prompt.enabled defaults to true in Liferay Portal 7.0.0 through 7.4.2 which allows attackers to enumerate and discover the existence of screen names, site names, and...

Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of...

Liferay Portal 7.4.2 Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the...

Cross-site scripting (XSS) vulnerability in the Fragment modules in Liferay Portal 7.4.3.4 allows remote attackers to inject arbitrary web script or HTML via parameters with a `filter_` prefix....

Liferay Portal 7.4.3.4 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for...

Cross-site scripting (XSS) vulnerability in the <liferay-asset:asset-tags-selector> tag in Liferay Portal 7.3.3 through 7.4.2 allows remote attackers to inject arbitrary web script or HTML via the...

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1 allows remote attackers to inject arbitrary web script...

HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via...

Liferay Portal 7.3.7 through 7.4.1 allows remote authenticated users to view sites/groups via the user's site membership assignment UI. Because user permission does not properly check when...

Liferay Portal 7.3.5 - 7.3.7 Liferay Portal 7.4.0 Liferay Portal 7.4.1 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches can be found on the Patching...

Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0 allows remote attackers to inject arbitrary web script or HTML via the...

This issue was reported by Duy Huynh Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0 allows remote attackers to inject...

The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by...

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add...

Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

Liferay Portal 7.3.7 Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6 allows remote attackers to inject arbitrary web script...

This issue was reported by Mariani Francesco Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0 allows remote attackers to inject...

In Liferay Portal 7.0.6, 7.1.3, 7.2.0, and possibly earlier unsupported versions, the MembershipRequestService APIs can be used in a denial-of-service attack on the mail server. Severity 2 Liferay...

Cross-site scripting (XSS) vulnerability in the Forms and Workflow module's edit workflow configuration in Liferay Portal 7.0.0 through 7.0.6 allows remote attackers to inject arbitrary web script...

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via...

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1)...

Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site...

The Portal Workflow module in Liferay Portal 6.2.2 through 7.3.2, user's passwords are stored in the database if workflow is enabled for new users. This allows attackers with access to the database...

Cross-site scripting (XSS) vulnerability in the portlet configuration module in Liferay Portal 7.1.0 through 7.3.2 allows remote attackers to inject arbitrary web script or HTML via the...

The Dynamic Data Mapping module in Liferay Portal 7.3.2 and earlier, do not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

In Liferay Portal 7.3.0 and earlier, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password...

Cross-site scripting (XSS) vulnerability in the layout module in Liferay Portal 7.2.0 and 7.2.1 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the asset module in Liferay Portal 7.0.0 through 7.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1)...

Cross-site scripting (XSS) vulnerability in document library module in Liferay Portal 7.3.0 through 7.3.4 allow remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the fragment module's view collection page in Liferay Portal 7.2.1 through 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the...

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by...

Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the title of a modal...

The portlet configuration module in Liferay Portal 7.2.0 through 7.3.3 does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role...

Cross-site scripting (XSS) vulnerability in Web Content Display in Liferay Portal 7.1.1 through 7.3.3 allows remote attackers to inject arbitrary web script or HTML via web content template names....

Cross-site scripting (XSS) vulnerability in the journal module in Liferay Portal 7.3.0 through 7.3.3 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. This issue was reported by Prajwal...

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1 allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter....

The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2 autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form...

Liferay Portal 7.3.2 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.6 Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4 and 7.3.5 allow remote attackers to inject arbitrary web script...

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.0 through 7.3.5 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5 allows remote attackers to inject arbitrary web script or...

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or...

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.6 Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5 allows remote attackers to inject...

The SimpleCaptcha implementation in Liferay Portal 7.3.4 and 7.3.5 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a...

The JSON web services in Liferay Portal 7.3.4 and earlier, the JSON web service may contain overly verbose error messages, which allows remote attackers to use the contents of error messages to...

The Data Engine module in Liferay Portal 7.3.0 through 7.3.5 does not check permissions in DataDefinitionResourceImpl. getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote...

May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.0 and 7.2.1, a reflected cross-site...

The redirect module in Liferay Portal 7.3.2 does not limit the number of URLs that result in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by...

Liferay Portal 7.3.3 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. CVE-2020-15839 has been assigned...

Cross-site scripting (XSS) vulnerability in the login module in Liferay Portal before 7.3.3 allows remote attackers to inject arbitrary web script or HTML via the...