Known Vulnerabilities

SSRF vulnerability in FreeMarker templates in Liferay Portal and Liferay DXP allows template editors to bypass access validations via crafted URLs. Liferay Portal fixed on master branch Liferay DXP...

Liferay Portal and Liferay DXP allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library Liferay Portal 7.4.0 through 7.4.3.132 Liferay...

Liferay Portal and Liferay DXP allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.5 Liferay DXP 2024.Q1.16 This issue was reported by Shubham Shah - CTO @ Assetnote and Adam Kues - Security...

Liferay Portal and Liferay DXP allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.15 Liferay DXP 2025.Q1.4 Liferay DXP 2025.Q2.0 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q1.0 through 2025.Q1.3 Liferay DXP...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScrip in the...

Liferay Portal and Liferay DXP allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. Liferay Portal 7.4.0 through 7.4.3.131 Liferay...

Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal and Liferay DXP allows an attacker to exploit this security vulnerability to redirect users to a...

Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 Liferay DXP 2024.Q3.1 through 2024.Q3.13 Liferay DXP 2024.Q2.0 throguh 2024.Q2.13 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content. Liferay...

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal and Liferay DXP, which allows authenticated users with...

Username enumeration vulnerability in Liferay Portal and Liferay DXP allows attackers to determine if an account exist in the application by inspecting the server processing time of the login...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal allows an remote non-authenticated attacker to inject JavaScript into the...

Liferay Portal fixed on master branch Liferay DXP 2024.Q1.14 Liferay DXP 2024.Q4.6 Liferay DXP 2025.Q1.0 This issue was reported by Gareth Catterall, AnchorSec security team The fragment preview...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.1 Liferay DXP 2024.Q1.15 Liferay Portal and Liferay DXP allows admin users of a virtual instance to add pages that...

Liferay Portal and Liferay DXP allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library Liferay Portal fixed on master branch Liferay DXP...

Liferay Portal and Liferay DXP allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS....

Liferay Portal and Liferay DXP allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing...

The data exposure vulnerability in Liferay Portal and Liferay DXP allows an unauthorized user to obtain entry data from forms. Liferay Portal 7.4.0 through 7.4.3.128 Liferay DXP 2024.Q2.0 through...

Cross-site scripting (XSS) vulnerability on Liferay Portal and Liferay DXP in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or...

Liferay Portal 7.4.0 through 7.4.3.128 Liferay DXP 7.4 GA through U92 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP 2024.Q2.0 through 2024.Q2.13 Liferay DXP 2024.Q3.0 through 2024.Q3.1...

This issue was reported by milCERT AT and Lucas Machado from Devoteam Cyber Trust A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal and...

This issue was reported by milCERT AT Stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary web script or HTML via...

Stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via remote app title field. Liferay Portal 7.4.0...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to execute arbitrary web script or HTML via Dispatch name field. Liferay Portal 7.4.0...

Liferay Portal and Liferay DXP does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API. Liferay Portal...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q2.0 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.6 Liferay DXP 2023.Q3.9 Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions Liferay DXP...

Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal and Liferay DXP allows remote attackers to view contact information, including the contact’s...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a...

Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

This issue was reported by foobar7 Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal and Liferay DXP allows remote authenticated attackers to view the edit...

Cross-site request forgery (CSRF) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to add and edit publication comments. Liferay Portal 7.4.1 through 7.4.3.112 Liferay DXP...

Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal and Liferay DXP allows remote authenticated users to from one virtual instance to add a note to an...

This issue was reported by foobar7 Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal and Liferay DXP allows remote authenticated users to from one virtual...

This issue was reported by argon21 Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web...

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected...

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and Liferay DXP allows remote authenticated users in one virtual instance to assign an organization to a user in a different...

Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q3.9 This issue was reported by foobar7 Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal and Liferay...

Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal and Liferay DXP allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload...

The Commerce component in Liferay Portal and Liferay DXP saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download...

Liferay Portal 7.1.0 through 7.4.3.101 Liferay DXP 2023.Q3.0 through 2023.Q3.4 Liferay DXP 7.4 GA thorugh U92 Liferay DXP 7.3 GA thorugh U35, and older unsupported versions Liferay Portal...

Liferay Portal 7.4.3.88 Liferay DXP 2023.Q3.1 Liferay DXP 7.4 update 88 Liferay DXP 7.3 update 30 This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA Cross-site scripting (XSS)...

Open redirect vulnerability in page administration in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the...

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex...

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal and Liferay DXP allows remote attackers to access arbitrary CSS and JSS files and load the files...

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1)...

Liferay Portal 7.4.3.22 Liferay DXP 7.4 Update 10 Liferay DXP 7.3 Update 26 SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session,...

Kaleo Forms Admin in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to...

In Liferay Portal and Liferay DXP (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote...

Insufficient CSRF protection for omni-administrator users in Liferay Portal and Liferay DXP allows attackers to execute Cross-Site Request Forgery Liferay Portal 7.4.3.120 Liferay DXP 2024.Q2.0...

Severity 1 The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary...

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML...

Liferay Portal 7.4.3.4 through 7.4.3.111 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP...

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal and Liferay DXP allows remote authenticated attackers to view publication comments via the...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web...

This issue was reported by foobar7 Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay DXP allows remote authenticated attackers to inject...

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay DXP allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow...