Known Vulnerabilities

June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay Portal 7.1.3. Details...

Liferay Portal 7.1.3 and 7.2.1 includes the following libraries which have known vulnerabilities: Apache Commons Compress 1.18 Bouncy Castle Provider 1.45 c3p0 0.9.5.3 Jackson Databind 2.9.9.3...

In Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, the setup wizard will automatically download MySQL Connector/J if the selected database is MySQL. This download is done...

Some vulnerabilities reported by Casey Erdmann, Giuseppino Cadeddu and Simone Cinti Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.1.3, 7.2.1 and possibly earlier...

Liferay Portal 7.x before 7.2.1, is vulnerable to Server-Side Request Forgery (SSRF) via DDM REST Data Provider which allows an attacker access to sensitive information. This issue exists because...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the JAX-RS API does not check for a CSRF token, which allows remote attackers to perform Cross-site request forgery (CSRF)...

Liferay Portal 7.2.1 June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.1 and earlier,...

In Liferay Portal 7.2.1 and earlier, a Java deserialization vulnerability exists when the portal is clustered. Communication between the nodes can be intercepted and modified. This may result in...

In Liferay Portal before 7.3.2, the template API does not restrict user access to to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and...

Liferay Portal 7.3.2 June 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page. June 2020 source patch for Liferay...

Liferay Portal 7.1.3 and possibly earlier unsupported versions is bundled with with Apache Tika 1.20 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay Portal...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1.3 and possibly earlier unsupported...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with withJasig CAS Client 3.1.12 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

Liferay Portal 7.1.3 and possibly earlier unsupported versions, is bundled with with Jackson Databind 2.9.8 which contains known vulnerabilities. Severity 2 March 2020 source patch for Liferay...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.1.3 and possibly earlier unsupported...

Insecure default configuration in Liferay Portal 7.2.0 and earlier allows man-in-the-middle attackers to intercept the email sent to users when their account is created and login as the user.  ...

In Liferay Portal 7.1.3 and possibly earlier unsupported versions, the 'com.liferay.frontend.js.lodash.web' bundle includes Lodash 4.17.4 which has known vulnerabilities. Severity 2 March 2020...

Liferay Portal 7.0.0 through 7.0.6 does not properly verify permission when creating pages which may lead to attackers changing portal settings and gaining access to sensitive information. Severity...

Liferay Portal 7.1.0 and earlier is vulnerable to denial-of-service (DoS) attacks via file uploads because of vulnerabilities in Apache Tika. Severity 1 Liferay Portal 7.1.1 March 2020 source patch...

Liferay Portal 7.2.1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. In Liferay Portal 7.2.0 and earlier,...

Liferay Portal 7.0.3 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The RSS portlet and FuseMail...

Liferay Portal 6.2.5 and earlier does not properly check permissions, which allows remote authenticated users to impersonate, edit, or delete administrators. Workaround: Remove the User.DELETE,...

Remote code execution vulnerability in DDM template in Liferay Portal 7.0.0 and earlier allows remote authenticated users with permission to create/edit templates to create templates that can run...

Denial-of-service (DoS) vulnerability in document library in Liferay Portal 6.2.5 and earlier allows remote attackers to cause an OutOfMemoryError by uploading a crafted PDF file. Workaround: Use...

Remote file disclosure vulnerability in DDM templates in Liferay Portal 6.2.5 and earlier allows remote authenticated users with permission create/edit templates to view any files that are readable...

March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. The IFrame portlet in Liferay Portal 6.2.5 and earlier...

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct...

Liferay Portal 7.0.1 March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page. Review permissions settings and do...

The BaseBSFPortlet class contains a path traversal vulnerability via URL manipulation. Liferay Portal 7.0 CE does not use the BaseBSFPortlet class out of the box. However, developers extending...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the LDAP credentials are transmitted in plain text. Severity 2 March 2020 source patch for Liferay Portal 7.1.3. Details for...

Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the 'X-Forwarded-Host' HTTP header can be used to bypass the whitelisted hosts provided in the portal property...

Liferay Portal 7.1.3 and earlier is vulnerable to remote code execution via deserialization of JSON data. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. The open redirect protection component in Liferay Portal...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, the user's password is visible on the screen immediately after the account creation process. Severity 2 March 2020 source...

In Liferay Portal 7.1 CE GA4 and earlier, a potential SQL injection vulnerability exist in the asset framework. Severity 1 March 2020 source patch for Liferay Portal 7.1.3. Details for working with...

March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page. Liferay Portal 7.1 CE GA4 and possibly earlier...

In Liferay Portal 7.1 CE GA4 and possibly earlier unsupported versions, users may be tricked into creating an account with an OpenID provider. If the OpenID provider is not trustworthy, an attacker...

In Liferay Portal 7.1 CE GA4, multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML into a page. Severity 2 March 2020 source patch for...

Liferay Portal 7.1 GA1 and possibly earlier unsupported versions truncates the regular expression field in a password policy. This may result in users using passwords which they should not use....

Multiple permission issue exists in Liferay Portal 7.1 CE GA4 which allows users to perform actions on resources which they are not authorized to perform. Severity 2 March 2020 source patch for...