Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2024-8980 Mitigate against simple XSS attacks against script console

  • CVE-2021-38263 Reflected XSS with Script page

  • CVE-2021-38266 DoS vulnerability prevents LDAP users from authenticating

  • CVE-2021-33320 Flagging content as inappropriate is not rate limited

  • CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password

  • CVE-2021-33325 User's unencrypted passwords stored in database

  • CVE-2021-33338 Adding pages exposes CSRF token

  • CST-7114 Security vulnerabilities in Apache Tika

  • CST-6237 Password disclosure through IFrame portlet

  • CST-6238 Remote file disclosure with DDM templates

  • CST-6239 Denial-of-service vulnerability with file uploads

  • CST-6240 User with impersonate permission can elevate privileges to portal administrator

  • CST-7062 Denial-of-service vulnerability with embedded portlets

  • CST-7063 Pingback vulnerability in blogs

  • CST-7064 Remote code execution vulnerability in templates

  • CST-7065 DoS and MiM vulnerabilities in Apache Commons HttpClient

  • CST-7205 Unauthenticated Remote code execution via JSONWS

  • CST-7113 Remote Code Execution using Web Content/DDM templates

  • CST-7138 SQL injection in asset framework

  • CST-7110 Path traversal vulnerability in templates

  • CST-7111 RCE via JSON deserialization

  • CST-7106 SSRF vulnerability via templates

  • CST-7046 Reflected XSS in JSONSWS API page

  • CST-7048 User information exposure in asset tag API

  • CST-7049 doAsUserId leaked to third party sites

  • CST-7050 BREACH attack vulnerability

  • CST-7051 Remote code execution via Web Proxy application

  • CST-7043 Local file disclosure via crafted URL

  • CST-7044 Content spoofing via URL manipulation

  • CST-7040 Denial of service vulnerability when using Xuggler

  • CST-7035 Login information exposed in URL

  • CST-7036 Reminder query answer exposed in shared environments

  • CST-7028 Denial of service vulnerability via crafted URL

  • CST-7029 Denial of service vulnerability via the editing of a wiki page

  • CST-7031 Velocity/FreeMarker templates do not properly restrict variable usage

  • CST-6233 Page configuration information disclosure

  • CST-6234 Insufficient permission checking in Message Board and Comments

  • CST-6235 User credentials appear in logs

  • CST-6236 Various XSS issues in 6.2.5 (Part 2)

  • CST-7018 RCE via TunnelServlet

  • CST-7019 DoS vulnerability via SessionClicks

  • CST-7021 DoS vulnerabilities in Apache Commons FileUpload

  • CST-7022 Open redirect vulnerability in Search

  • CST-7023 Password policy circumvention via forgot password

  • CST-7026 Password exposure in Server Administration

  • CST-7027 ThreadLocal may leak variables

  • LPS-67681 Search results include results to which a user should not have access

  • LPS-67682 Editing a blogs entry may reset the blog entry's permission

  • LPS-67683 XXE vulnerability in PDFBox

  • LPS-66683 All users are site administrators by default

  • LPS-66682 CSRF token is persisted in database

  • LPS-66681 Open redirect vulnerability with Facebook authentication

  • LPS-64547 Remote code execution and privilege escalation in templates

  • LPS-64444 Digest authentication does not respect password policies

  • LPS-64443 Password reminder answer disclosure

  • LPS-64442 Open redirect vulnerability

  • LPS-64441 Java Serialization Vulnerability

  • LPS-64440 Various XSS issues in 6.2.5

  • LPS-64438 Various permission issues in 6.2.5

  • LPS-58018 XSL Content portlet can be configured with any XML/XSL

  • LPS-58015 CSRF attack using uploaded flash files

  • LPS-58014 XXE vulnerability in OpenID authentication

  • LPS-57597 Path traversal vulnerability with plugins

  • LPS-57595 Email header injection vulnerability

  • LPS-57582 Various permission issues in 6.2.3

  • LPS-57553 Old password reset links are not invalidated

  • LPS-57552 DoS and information leak vulnerability with GenericPortlet

  • LPS-57532 Various XSS issues in 6.2.3

  • LPS-54386 XML external entity (XXE) processing vulnerability in 6.2.2

  • LPS-54384 User enumeration with Sign In portlet in 6.2.2

  • LPS-54382 Insecure handling of authentication information in 6.2.2

  • LPS-54306 Incorrect permission checking in 6.2.2

  • LPS-54303 Various XSS issues in 6.2.2

  • LPS-51061 HTTP host header manipulation

  • LPS-51094 Various XSS issues in 6.2.1 (Part 4)

  • LPS-48667 Multiple unvalidated redirects in 6.2.1

  • LPS-48763 Guest users can obtain list of sites and workflow definition

  • LPS-48071 Various XSS issues in 6.2.1 (Part 3)

  • LPS-47460 - Struts 1 Classloader manipulation (Generic fix)

  • LPS-47428 Various XSS issues in 6.2.1 (Part 2)

  • LPS-47093 CVE-2014-0050 DoS using Apache Commons FileUpload

  • LPS-46552 - Struts 1 Classloader manipulation

  • LPS-45661 Various XSS issues in 6.2.1

  • LPS-43809 Various XSS Issues in Liferay Portal 6.2.0

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy