Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2024-11993 Reflected XSS in Dispatch Name field

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-43824 HTTP response injection/splitting vulnerability with vCard

  • CVE-2025-43827 IDOR audit events

  • CVE-2025-43826 Stored XSS with web content translation

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-62252 Assign user from another instance to an organization

  • CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3602 GraphQL queries does not limit depth

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2024-25151 Possible XSS & content spoofing in notifications emails

  • CVE-2024-26266 Stored XSS with user name in Announcements & Alerts

  • CVE-2024-26269 XSS with anchor/hash part of a URL in portlet.js

  • CVE-2024-25603 Stored XSS with instanceId in DDMForm

  • CVE-2024-25152 Stored XSS with message board file attachment

  • CVE-2024-25601 Stored XSS with geolocation custom fields

  • CVE-2024-25602 Stored XSS with organization name in edit user

  • CVE-2024-25147 HtmlUtil.escapeJSLink circumvention

  • CVE-2024-26268 User enumeration vulnerability by comparing login response time

  • CVE-2024-26267 Insecure default for the property `http.header.version.verbosity`

  • CVE-2024-26265 File system flooding through the Image Uploader

  • CVE-2024-25610 Stored XSS with Blog entries (Insecure defaults)

  • CVE-2024-25609 HtmlUtil.escapeRedirect circumvention with two forward slash

  • CVE-2024-25608 Open redirect vulnerability using Replacement Character

  • CVE-2024-25607 Default password hashing algorithm do not provide sufficient protection

  • CVE-2024-25606 XXE vulnerability in Java2WsddTask._format

  • CVE-2024-25605 Unauthorized access to Web Content templates

  • CVE-2024-25604 User can access and edit their own permissions

  • CVE-2024-25150 User full name disclosure in page title

  • CVE-2024-25149 Users without parent site membership can be registered on child sites

  • CVE-2022-45320 Wiki page privilege escalation

  • CVE-2024-25148 'doAsUserId' value may get leaked when using WYSIWYG editor to create content

  • CVE-2024-25146 Unauthorized users can discover if a site exist

  • CVE-2024-25145 Stored XSS with search results if highlighting is disabled

  • CVE-2024-25144 DoS via a self-referencing IFrame

  • CVE-2024-25143 DoS vulnerabilities via crafted PNG image

  • CVE-2021-29050 CSRF vulnerability in Terms of Use page

  • CVE-2021-29038 Password reminder answers are not obfuscated

  • CVE-2023-47798 Account lockout does not invalidate user sessions

  • CVE-2023-42628 XSS with child wiki pages

  • CVE-2023-33937 Stored XSS with form name in form configuration

  • CVE-2023-33939 Stored XSS in Modified Facet

  • CVE-2023-33949 Users do not have to verify their email address by default

  • CVE-2022-42132 LDAP credentials exposed in URL

  • CVE-2022-42131 DDMRESTDataProvider vulnerable to man-in-the-middle attack

  • CVE-2022-42130 Unauthorized access to form entries via API

  • CVE-2022-42121 SQL injection vulnerability during page template upgrade

  • CVE-2022-42118 Reflected XSS with `tag` in Search

  • CVE-2022-42112 Stored XSS with sort by label in Search Sort widget

  • CVE-2022-42111 Stored XSS with a shared asset name in notification

  • CVE-2022-42110 Stored XSS with announcement/alert type

  • CST-7230 Invalid portlet mode cause product menu to be inaccessible

  • CST-2022-01 Insecure defaults: auth.login.prompt.enabled

  • CVE-2022-28978 Stored XSS with user name in site membership

  • CVE-2022-28979 XSS in Custom Facet widget

  • CVE-2021-38263 Reflected XSS with Script page

  • CVE-2021-38266 DoS vulnerability prevents LDAP users from authenticating

  • CVE-2021-38268 Site member can add new forms by default

  • CVE-2021-38269 Stored XSS with Gogo Shell output

  • CST-7229 Mail server DoS via MembershipRequestService

  • CST-7227 Reflected XSS with 'backURL' in Users and Organizations

  • CST-7228 Stored XSS with Tags name

  • CVE-2021-29040 Overly verbose JSON web services errors

  • CVE-2021-29043 S3 store's proxy password visible in System Settings

  • CVE-2021-29044 Stored XSS with membership request comment

  • CVE-2021-29051 Reflected XSS with 'assetEntryId' in Asset Publisher

  • CVE-2021-33320 Flagging content as inappropriate is not rate limited

  • CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password

  • CVE-2021-33322 Password change does not invalidate password reset tokens

  • CVE-2021-33323 Unauthenticated form drafts are visible to everybody

  • CVE-2021-33324 Unauthorized users can view a site's pages via page administration

  • CVE-2021-33325 User's unencrypted passwords stored in database

  • CVE-2021-33326 XSS with the title of a modal window

  • CVE-2021-33327 Unauthorized users can view the Guest and User roles

  • CVE-2021-33328 Stored XSS with Web Content Structure names and Document Types names in Categories Admin

  • CVE-2021-33330 CORS should not work with Portal Session authentication

  • CVE-2021-33331 Open redirect vulnerability in notifications

  • CVE-2021-33332 Reflected XSS with portletId in Look and Feel Configuration

  • CVE-2021-33333 Unauthorized users can view and delete workflow submissions

  • CVE-2021-33334 Unauthorized users can view forms and form entries

  • CVE-2021-33335 Non-company admins can edit company admins

  • CVE-2021-33338 Adding pages exposes CSRF token

  • CVE-2021-33339 Stored XSS with Site name in Fragment portlet

  • CVE-2022-26596 Stored XSS with Template name

  • CST-7224 Stored XSS with user name in Document & Media file info panel

  • CST-7225 OAuth2 authentication bypass of REST application API

  • CST-7226 Open redirect in System Settings' search

  • CST-7307 Unauthorized users can delete a staging publishing process

  • CST-7308 'portlet.resource.id.banned.paths.regexp' bypass with doubled encoded URLs

  • CST-7309 User enumeration via forget password

  • CST-7310 Reflected XSS in Page Fragments' edit page

  • CST-7311 Blog cover image extension circumvention

  • CST-7312 Libraries with known vulnerabilities in 7.2.1 and 7.3.2

  • CST-7313 Stored XSS with user name in workflow definition editor

  • CST-7314 Viewing Calendar widget prevents Instance Settings from saving

  • CST-7315 Unauthorized access to staged public pages's sitemap.xml

  • CST-7316 Reflected XSS with 'openId' in Login module

  • CST-7317 DoS vulnerability with multipart/form-data requests

  • CST-7213 Java deserialization vulnerability in clustered setup

  • CST-7214 LDAP credentials exposed by 'Test LDAP Connection'

  • CST-7215 SSRF vulnerability via DDM REST Data Provider

  • CST-7216 Multiple XSS vulnerabilities in 7.1.3 and 7.2.1

  • CST-7217 Downloading MySQL Connector/J is vulnerable to MITM attacks

  • CST-7218 Libraries with known vulnerabilities in 7.1.3 and 7.2.1

  • CST-7219 Documents and Media file extension restriction circumvention

  • CST-7220 Directory traversal with Page Fragment exports

  • CST-7221 Flag email injection vulnerability

  • CST-7222 Any user can display unconfigured instance of an instantiable widget

  • CST-7223 Private site disclosure via Blogs RSS

  • CST-7301 DDMDataProvider API leaks REST data provider password

  • CST-7302 Remote code execution with FreeMarker/Velocity templates

  • CST-7303 Circumvention of open redirect prevention using tabs

  • CST-7211 User can change password without current password

  • CST-7212 Passwords are emailed to users by default

  • CST-7201 Multiple XSS vulnerabilities in 7.2 CE GA1

  • CST-7202 Multiple permission vulnerabilities in 7.2 CE GA1

  • CST-7203 Libraries with known vulnerabilities in 7.2 CE GA1

  • CST-7204 Mail server DoS using /user/send-password-by-*

  • CST-7205 Unauthenticated Remote code execution via JSONWS

  • CST-7206 Hello World widget reveals portal version information

  • CST-7207 Open redirect in Account Settings

  • CST-7208 'leaflet' loaded using HTTP

  • CST-7209 Search results redirects users to non-https links

  • CST-7210 Email and password disclosure in Sign In

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy