Known Vulnerabilities

Liferay Portal 7.4.3.112 Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP 2024.Q1.1 Blogs in Liferay Portal and Liferay DXP does not check permission of images in a blog entry, which...

The Document Library and the Adaptive Media modules in Liferay Portal and Liferay DXP uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the...

By default, Liferay Portal and Liferay DXP is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by...

Password enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. Liferay...

Liferay Portal and Liferay DXP stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s...

Liferay Portal 7.0.0 through 7.4.3.97 Liferay DXP 2023.Q3.1 through 2023.Q3.4 Liferay DXP 7.4 Liferay DXP 7.3 GA through U35 And older unsupported versions Liferay Portal 7.4.3.98 Liferay Portal...

Liferay Portal 7.4.3.104 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.0 Liferay DXP 2023.Q3.5 Liferay Portal 7.3.7 through 7.4.3.92 Liferay DXP 2023.Q3.1 through 2023.Q3.4 Liferay DXP 7.4 Liferay DXP...

Liferay DXP 2024.Q1.1 Liferay Portal 7.4.3.112 Liferay DXP 2023.Q3.6 Liferay DXP 2023.Q4.3 Liferay DXP 7.3 U36 The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size...

Liferay DXP 7.3 U35 Liferay DXP 2023.Q3.6 Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal and Liferay DXP allows remote attackers to inject...

Liferay Portal 7.0.0 through 7.4.3.132 Liferay DXP 2023.Q4.0 through 2023.Q4.1 Liferay DXP 2023.Q3.1 through 2023.Q3.4 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 GA through update 35, and...

Liferay Portal 7.4.3.120 Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.6 Liferay DXP 2023.Q3.9 Liferay DXP 2024.Q1.1 Liferay DXP 2024.Q2.0 Liferay DXP...

A memory leak in the headless API for StructuredContents in Liferay Portal and Liferay DXP allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API...

Liferay Portal 7.4.3.113 Liferay DXP 2024.Q2.0 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.9 Liferay Portal 7.2.0 through 7.4.3.112 Liferay DXP 2023.Q4.0 through 2023.Q4.8 Liferay DXP 2023.Q3.1...

Liferay DXP 2023.Q3.9 Liferay DXP 2023.Q4.8 Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal and Liferay DXP allows remote attackers to...

Liferay Portal and Liferay DXP does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page templates via crafted...

Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal and Liferay DXP allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request....

In Liferay Portal and Liferay DXP, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site...

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a "Rich Text"...

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal and Liferay DXP allows remote attackers to (1) add files to arbitrary locations on the server and (2)...

This issue was reported by milCERT AT and Lucas Machado from Devoteam Cyber Trust A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal...