Known Vulnerabilities

Blogs in Liferay Portal and Liferay DXP does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. Liferay Portal 7.4.0...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 The Document Library and the Adaptive Media modules in Liferay Portal and Liferay DXP uses an incorrect cache-control header, which allows local...

By default, Liferay Portal and Liferay DXP is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by...

Password enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. Liferay Portal...

Liferay Portal and Liferay DXP stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s...

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal and Liferay DXP allows local users to view user email address in the log files. Liferay Portal 7.0.0...

The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial...

Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.5 Liferay DXP 7.4 GA through U92 Liferay DXP 7.3 GA through U34, and older unsupported...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.1 Liferay DXP 2023.Q3.5 Liferay DXP 7.3 update 36 Improper Authentication in Liferay Portal and Liferay DXP allows...

Liferay Portal 7.4.3.120 Liferay DXP 2024.Q1.6 Liferay DXP 2024.Q2.0 Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions Liferay DXP 2023.Q3.1 through 2023.Q3.10 Liferay DXP...

In Liferay Portal and Liferay DXP the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit...

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to register a server license via the 'orderUuid'...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary web script or HTML via Dispatch name field. Liferay Portal 7.4.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API. Liferay Portal...

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...

Liferay Portal 7.1.0 through 7.4.3.101 Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35, and older unsupported versions Liferay Portal...

Liferay Portal 7.4.3.88 Liferay DXP 2023.Q3.1 Liferay DXP 7.4 update 88 Liferay DXP 7.3 update 30 This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA Cross-site scripting (XSS)...

Open redirect vulnerability in page administration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. Liferay DXP 2023.Q3.1...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki...

Liferay DXP 7.3 GA1 Liferay Portal 7.3.1 In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create...

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal, and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle...

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.2 does not validate HTTPS certificates used with DDMRESTDataProvider, which allows man-in-the-middle attackers to impersonate,...

Liferay Portal 7.1.0 - 7.1.3 Liferay Portal 7.2.0 - 7.2.1 Liferay Portal 7.3.0 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.4 Liferay Portal 7.4.3.5 There is no fix available for Liferay Portal 7.1, 7.2...

SQL injection vulnerability in the Layout module's page template upgrade process in Liferay Portal 7.1.3 through 7.4.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via...

Cross-site scripting (XSS) vulnerability in the Portal Search module's Tag Facet widget in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject arbitrary web script or HTML via the...

Cross-site scripting (XSS) vulnerability in the Announcements module's Announcement and Alerts management page in Liferay Portal 7.1.0 through 7.4.2 allows remote attackers to inject arbitrary web...

Liferay Portal 7.2.1 Liferay Portal 7.0.0 through 7.2.0 does not check if a portlet mode is valid, which allows remote attackers to disable the product menu via supplying an invalid portlet mode in...

The portal property, auth.login.prompt.enabled defaults to true in Liferay Portal 7.0.0 through 7.4.2 which allows attackers to enumerate and discover the existence of screen names, site names, and...

Liferay Portal 7.4.3.4 January 2022 source patch for Liferay Portal 7.3.7. Details for working with source patches can be found on the Patching Liferay Portal page. There is no fix available for...

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1 allows remote attackers to inject arbitrary web script...

The Portal Security module in Liferay Portal 7.2.1 and earlier does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by...

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add...

Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the output of a...

This issue was reported by Mariani Francesco Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0 allows remote attackers to inject...