Known Vulnerabilities

Severity 1 Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the...

This issue was reported by Barnabás Horváth (T4r0) User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by...

Workaround: Set the following in portal(-ext).properties: http.header.version.verbosity=partial Liferay Portal 7.4.3.26 Liferay DXP 7.4 update 26 Liferay DXP 7.3 update 5 Liferay DXP 7.2 fix pack...

Severity 2 Privilege escalation vulnerability in Wiki in Liferay Portal and Liferay DXP allows remote authenticated users to become the owner of a wiki page by editing the wiki page. Liferay Portal...

This issue was reported by Liferay and milCERT AT Severity 1 Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject...

Liferay Portal 7.4.3.16 Liferay DXP 7.4 update 16 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 19 Severity 2 The Image Uploader module in Liferay Portal and Liferay DXP relies on a request...

Severity 2 In Liferay Portal and Liferay DXP, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML...

Severity 2 HtmlUtil.escapeRedirect in Liferay Portal and Liferay DXP can be circumvented by using two forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via...

Liferay Portal 7.4.0 through 7.4.3.18 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 19 Liferay DXP 7.3...

Severity 2 The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal and Liferay DXP defaults to a low work factor, which allows attackers to quickly crack password hashes....

Severity 2 XXE vulnerability in Liferay Portal and Liferay DXP allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via...

Severity 2 The Journal module in Liferay Portal and Liferay DXP grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI...

Severity 2 Liferay Portal and Liferay DXP does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User...

Severity 1 Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.5 Liferay DXP 7.4 update 1 Liferay DXP 7.3 update 4 Liferay DXP 7.2 fix pack 17 Severity 1 Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script...

Severity 1 Stored cross-site scripting (XSS) vulnerability in Expando module's geolocation custom fields in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2...

Severity 2 The Calendar module in Liferay Portal and Liferay DXP does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject...

Liferay Portal 7.4.0 through 7.4.2 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.3 before update 4 Liferay DXP 7.2...

Severity 2 Liferay Portal and Liferay DXP does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote...

Liferay Portal 7.4.2 Liferay DXP 7.3 service pack 3 Liferay DXP 7.2 fix pack 15 Severity 2 In Liferay Portal and Liferay DXP the `doAsUserId` URL parameter may get leaked when creating linked...

Severity 1 Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via crafted...

Severity 2 Liferay Portal and Liferay DXP returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote...

Liferay Portal 7.4.0 through 7.4.3.11 Liferay Portal 7.3.0 through 7.3.7 Liferay Portal 7.2.0 and 7.2.1 Liferay Portal, older unsupported versions Liferay DXP 7.4 before update 8 Liferay DXP 7.3...

Severity 2 The IFrame widget in Liferay Portal and Liferay DXP does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self...

Severity 1 The Document and Media widget In Liferay Portal and Liferay DXP, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a...

Severity 2 A Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay DXP and Liferay Portal allows remote attackers to accept the site's terms of use via social...

Liferay Portal 7.3.6 Liferay DXP 7.3 service pack 1 Liferay DXP 7.2 fix pack 17 This issue was reported by Duracell80 Severity 2 Liferay Portal and Liferay DXP does not obfuscate password reminder...

Severity 2 Account lockout in Liferay Portal and Liferay DXP does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been...

Severity 2 Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

Liferay DXP 7.3 before update 33 Liferay DXP 7.4 before update 92 Liferay Portal 7.3.5 through 7.4.3.91 Liferay DXP 7.4 update 92 Liferay Portal 7.4.3.92 This issue was reported by Michael Oelke...

Severity 1 Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki...

Liferay DXP 7.3 GA1 Liferay Portal 7.3.1 In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create...

Severity 2 Liferay DXP 7.3 before update 6 Liferay DXP 7.4 before update 18 Liferay Portal 7.3.1 - 7.3.7 Liferay Portal 7.4.0 - 7.4.3.17 Liferay DXP 7.3 update 6 Liferay DXP 7.4 update 18 Liferay...

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a...

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected...

Severity 2 Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script...

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal, and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle...