Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2024-11993 Reflected XSS in Dispatch Name field

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2023-42628 XSS with child wiki pages

  • CVE-2023-33937 Stored XSS with form name in form configuration

  • CVE-2023-33939 Stored XSS in Modified Facet

  • CVE-2023-33949 Users do not have to verify their email address by default

  • CVE-2022-42132 LDAP credentials exposed in URL

  • CVE-2022-42131 DDMRESTDataProvider vulnerable to man-in-the-middle attack

  • CVE-2022-42130 Unauthorized access to form entries via API

  • CVE-2022-42121 SQL injection vulnerability during page template upgrade

  • CVE-2022-42118 Reflected XSS with `tag` in Search

  • CVE-2022-42110 Stored XSS with announcement/alert type

  • CST-7230 Invalid portlet mode cause product menu to be inaccessible

  • CST-2022-01 Insecure defaults: auth.login.prompt.enabled

  • CVE-2022-28978 Stored XSS with user name in site membership

  • CVE-2022-28979 XSS in Custom Facet widget

  • CVE-2021-38263 Reflected XSS with Script page

  • CVE-2021-38266 DoS vulnerability prevents LDAP users from authenticating

  • CVE-2021-38268 Site member can add new forms by default

  • CVE-2021-38269 Stored XSS with Gogo Shell output

  • CST-7229 Mail server DoS via MembershipRequestService

  • CVE-2021-29040 Overly verbose JSON web services errors

  • CVE-2021-29043 S3 store's proxy password visible in System Settings

  • CVE-2021-29044 Stored XSS with membership request comment

  • CVE-2021-33320 Flagging content as inappropriate is not rate limited

  • CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password

  • CVE-2021-33322 Password change does not invalidate password reset tokens

  • CVE-2021-33323 Unauthenticated form drafts are visible to everybody

  • CVE-2021-33324 Unauthorized users can view a site's pages via page administration

  • CVE-2021-33325 User's unencrypted passwords stored in database

  • CVE-2021-33326 XSS with the title of a modal window

  • CVE-2021-33328 Stored XSS with Web Content Structure names and Document Types names in Categories Admin

  • CVE-2021-33331 Open redirect vulnerability in notifications

  • CVE-2021-33332 Reflected XSS with portletId in Look and Feel Configuration

  • CVE-2021-33333 Unauthorized users can view and delete workflow submissions

  • CVE-2021-33334 Unauthorized users can view forms and form entries

  • CVE-2021-33335 Non-company admins can edit company admins

  • CVE-2021-33338 Adding pages exposes CSRF token

  • CVE-2022-26596 Stored XSS with Template name

  • CST-7224 Stored XSS with user name in Document & Media file info panel

  • CST-7225 OAuth2 authentication bypass of REST application API

  • CST-7226 Open redirect in System Settings' search

  • CST-7310 Reflected XSS in Page Fragments' edit page

  • CST-7317 DoS vulnerability with multipart/form-data requests

  • CST-7150 JAX-RS APIs are vulnerable to CSRF

  • CST-7213 Java deserialization vulnerability in clustered setup

  • CST-7214 LDAP credentials exposed by 'Test LDAP Connection'

  • CST-7215 SSRF vulnerability via DDM REST Data Provider

  • CST-7216 Multiple XSS vulnerabilities in 7.1.3 and 7.2.1

  • CST-7217 Downloading MySQL Connector/J is vulnerable to MITM attacks

  • CST-7218 Libraries with known vulnerabilities in 7.1.3 and 7.2.1

  • CST-7219 Documents and Media file extension restriction circumvention

  • CST-7220 Directory traversal with Page Fragment exports

  • CST-7221 Flag email injection vulnerability

  • CST-7222 Any user can display unconfigured instance of an instantiable widget

  • CST-7223 Private site disclosure via Blogs RSS

  • CST-7301 DDMDataProvider API leaks REST data provider password

  • CST-7302 Remote code execution with FreeMarker/Velocity templates

  • CST-7303 Circumvention of open redirect prevention using tabs

  • CST-7114 Security vulnerabilities in Apache Tika

  • CST-7144 Vulnerabilities in Lodash 4.17.4

  • CST-7145 User enumeration via forget password

  • CST-7146 Security vulnerability in Jackson Databind 2.9.8

  • CST-7147 Security vulnerability in Jasig CAS Client 3.1.12

  • CST-7148 Security vulnerability in Apache Commons BeanUtils 1.9.2

  • CST-7149 Security vulnerability in Apache Tika 1.20

  • CST-7211 User can change password without current password

  • CST-7212 Passwords are emailed to users by default

  • CST-7204 Mail server DoS using /user/send-password-by-*

  • CST-7205 Unauthenticated Remote code execution via JSONWS

  • CST-7206 Hello World widget reveals portal version information

  • CST-7208 'leaflet' loaded using HTTP

  • CST-7209 Search results redirects users to non-https links

  • CST-7210 Email and password disclosure in Sign In

  • CST-7113 Remote Code Execution using Web Content/DDM templates

  • CST-7129 Pre-defined permissions for roles

  • CST-7127 Path traversal vulnerability in Poller

  • CST-7128 Open redirect in Language Selector widget

  • CST-7131 Libraries with known vulnerabilities

  • CST-7132 Unauthorized users can view web content articles via display pages

  • CST-7133 Multiple permission vulnerabilities in 7.1 CE GA4

  • CST-7134 Password policies regular expression truncation

  • CST-7135 Multiple XSS vulnerabilities in 7.1 CE GA4

  • CST-7136 OpenID phishing attack vulnerability

  • CST-7137 SSRF vulnerability via XSLT

  • CST-7138 SQL injection in asset framework

  • CST-7139 User password is visible on screen

  • CST-7140 DoS vulnerability via unresponsive DNS servers

  • CST-7141 RCE using JSON Deserialization in templates

  • CST-7142 'virtual.hosts.valid.hosts' bypass via 'X-Forwarded-Host' header

  • CST-7143 LDAP credentials is transmitted in plain text

  • CST-7130 Multiple XSS vulnerabilities in 7.1 CE GA3

  • CST-7125 SSRF vulnerability via DDM REST Data Provider

  • CST-7124 Anonymous message boards post can be associated with a user

  • CST-7123 Company secret key is accessible via templates

  • CST-7126 Password info recorded in logs

  • CST-7122 Multiple permission vulnerabilities in 7.1 CE GA3

  • CST-7121 Anonymous message boards post can be associated with a user

  • CST-7120 Open redirect in <liferay-ui:header>

  • CST-7115 Stored XSS with image resolutions in Adaptive Media

  • CST-7116 Multiple permission vulnerabilities in 7.1 CE GA2

  • CST-7117 Unverified password change

  • CST-7118 User login is vulnerable to CSRF

  • CST-7119 Overly verbose error message

  • CST-7110 Path traversal vulnerability in templates

  • CST-7111 RCE via JSON deserialization

  • CST-7112 Password reset token leaked to 3rd party sites

  • CST-7109 XXE vulnerability in XSL Content & Web Content

  • CST-7106 SSRF vulnerability via templates

  • CST-7107 HTML injection in notification emails

  • CST-7108 User can change password without entering current password

  • CST-7104 Multiple permission vulnerabilities in 7.1 CE GA1

  • CST-7105 LDAP injection

  • CST-7103 Multiple XSS vulnerabilities in 7.1 CE GA1

  • CST-7102 Open redirect vulnerability with Blogs RSS and tunnel-web

  • CST-7101 Password changes does not terminate other sessions

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy