Known Vulnerabilities

Cross-site scripting (XSS) vulnerability in the journal module in Liferay Portal 7.3.0 through 7.3.3 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.3 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. This issue was reported by Prajwal...

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1 allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter....

The Flags module in Liferay Portal 7.3.1 and earlier does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2 autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form...

Liferay Portal 7.3.2 May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for Liferay...

Liferay Portal 7.3.6 Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4 and 7.3.5 allow remote attackers to inject arbitrary web script...

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.0 through 7.3.5 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5 allows remote attackers to inject arbitrary web script or...

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or...

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal 7.3.6 Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5 allows remote attackers to inject...

The SimpleCaptcha implementation in Liferay Portal 7.3.4 and 7.3.5 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a...

The JSON web services in Liferay Portal 7.3.4 and earlier, the JSON web service may contain overly verbose error messages, which allows remote attackers to use the contents of error messages to...

The Data Engine module in Liferay Portal 7.3.0 through 7.3.5 does not check permissions in DataDefinitionResourceImpl. getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote...

May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.0 and 7.2.1, a reflected cross-site...

The redirect module in Liferay Portal 7.3.2 does not limit the number of URLs that result in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by...

Liferay Portal 7.3.3 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. CVE-2020-15839 has been assigned...

Cross-site scripting (XSS) vulnerability in the login module in Liferay Portal before 7.3.3 allows remote attackers to inject arbitrary web script or HTML via the...

Liferay Portal before 7.3.3 does not properly restrict access to the sitemap.xml of staged public pages, which allows remote attackers to access sitemap.xml and learn of the existence and count of...

Liferay Portal 7.3.1 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. The Calendar widget records...

Stored cross-site scripting (XSS) vulnerability in workflow definition editor in Liferay Portal before 7.3.1 allows remote attackers to inject arbitrary web script or HTML via the user's name....

Liferay Portal 7.2.1, 7.3.2 and possibly earlier unsupported versions includes the following libraries which have known vulnerabilities: Netty 4.1.42 Dom4j 2.1.1 Apache CXF 2.7.11 Apache Olingo...

In Liferay Portal 7.1.0 through 7.2.1, an open redirect vulnerability exist with the 'redirect' parameter in System Settings' search. Severity 2 September 2020 source patch for Liferay Portal...

The OAuth module in Liferay Portal 7.1.0 through 7.2.1 contains an authentication flaw which allows an attacker with a valid OAuth2 token to access the REST application APIs in a different Portal...

Stored cross-site scripting (XSS) vulnerability in the Document Library module in Liferay Portal 7.1.0 through 7.2.1 allows remote attackers to inject arbitrary web script or HTML via the user's...

In Liferay Portal before 7.3.3, an administrator can limit the type of images that can be used as a blog cover image. However, this protection can be circumvented via HTTP manipulation to upload...

Multiple cross-site scripting (XSS) vulnerabilities in the fragment module in Liferay Portal 7.1.0 through 7.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1)...

Liferay Portal 7.3.3 September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. The login module in Liferay...

Liferay Portal before 7.3.1 does not decode a URL before determining if the resource should be served, which allows remote attackers to access restricted portlet resources (e.g., files within...

The staging module in Liferay Portal before 7.3.2 does not properly check user permission, which allows remote authenticated users to delete a publishing process via the staging menu. Severity 2...

Liferay Portal 7.3.1 Liferay Portal 7.3.0 does not properly check user permissions, which allows remote authenticated users to view user groups that are members of a site via the site's membership...

Liferay Portal 7.3.0 and 7.3.1 includes the following libraries which have known vulnerabilities: Apache POI 4.1.0 Severity 2 Liferay Portal 7.3.2

Cross-site scripting (XSS) vulnerability in the portal workflow module in Liferay Portal 7.3.0 allows remote attackers to inject arbitrary web script or HTML via the user name parameter. Severity 2...

This issue was reported by Jawwad Hussain In Liferay Portal before 7.3.1, the PortalUtil.escapeRedirect() API can be circumvented by using the tab character. This may allow an attacker to redirect...

Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, the existence of a private site and the site name is disclosed in the Blogs widget's RSS feed. Severity 2 Liferay Portal 7.2.1...

Liferay Portal 7.1.3, 7.2.0 and possibly earlier unsupported versions, any user can display a unconfigured instance of an instantiable widget. Severity 2 Liferay Portal 7.2.1 June 2020 source patch...

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

In Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, exporting Page Fragments and Page Fragment Collections can overwrite files in the filesystem with the following filenames:...