Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2023-33949 Users do not have to verify their email address by default

  • CVE-2022-42132 LDAP credentials exposed in URL

  • CST-7230 Invalid portlet mode cause product menu to be inaccessible

  • CST-2022-01 Insecure defaults: auth.login.prompt.enabled

  • CVE-2022-28978 Stored XSS with user name in site membership

  • CVE-2021-38263 Reflected XSS with Script page

  • CVE-2021-38266 DoS vulnerability prevents LDAP users from authenticating

  • CVE-2021-38268 Site member can add new forms by default

  • CST-7229 Mail server DoS via MembershipRequestService

  • CST-7067 Reflected XSS in edit workflow configuration

  • CVE-2021-29040 Overly verbose JSON web services errors

  • CVE-2021-29043 S3 store's proxy password visible in System Settings

  • CVE-2021-29044 Stored XSS with membership request comment

  • CVE-2021-33320 Flagging content as inappropriate is not rate limited

  • CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password

  • CVE-2021-33322 Password change does not invalidate password reset tokens

  • CVE-2021-33325 User's unencrypted passwords stored in database

  • CVE-2021-33326 XSS with the title of a modal window

  • CVE-2021-33328 Stored XSS with Web Content Structure names and Document Types names in Categories Admin

  • CVE-2021-33331 Open redirect vulnerability in notifications

  • CVE-2021-33333 Unauthorized users can view and delete workflow submissions

  • CVE-2021-33334 Unauthorized users can view forms and form entries

  • CVE-2021-33335 Non-company admins can edit company admins

  • CVE-2021-33338 Adding pages exposes CSRF token

  • CST-7214 LDAP credentials exposed by 'Test LDAP Connection'

  • CST-7215 SSRF vulnerability via DDM REST Data Provider

  • CST-7301 DDMDataProvider API leaks REST data provider password

  • CST-7114 Security vulnerabilities in Apache Tika

  • CST-7062 Denial-of-service vulnerability with embedded portlets

  • CST-7063 Pingback vulnerability in blogs

  • CST-7064 Remote code execution vulnerability in templates

  • CST-7065 DoS and MiM vulnerabilities in Apache Commons HttpClient

  • CST-7066 Users without proper permissions can add pages

  • CST-7061 Path traversal vulnerability in BaseBSFPortlet

  • CST-7205 Unauthenticated Remote code execution via JSONWS

  • CST-7113 Remote Code Execution using Web Content/DDM templates

  • CST-7138 SQL injection in asset framework

  • CST-7110 Path traversal vulnerability in templates

  • CST-7111 RCE via JSON deserialization

  • CST-7109 XXE vulnerability in XSL Content & Web Content

  • CST-7106 SSRF vulnerability via templates

  • CST-7054 Blog titles leaked to users without view permission

  • CST-7055 Open redirect prevention circumvention

  • CST-7056 Form REST data provider password disclosure

  • CST-7057 CSRF vulnerability with comments

  • CST-7058 CSV injection in Forms, DDL and user export

  • CST-7059 Theoretical OS commaind injection in SendmailHook

  • CST-7053 Multiple XSS vulnerabilities in 7.0 CE GA7

  • CST-7046 Reflected XSS in JSONSWS API page

  • CST-7047 Multiple permission vulnerabilities in 7.0 CE GA6

  • CST-7048 User information exposure in asset tag API

  • CST-7049 doAsUserId leaked to third party sites

  • CST-7050 BREACH attack vulnerability

  • CST-7051 Remote code execution via Web Proxy application

  • CST-7052 Multiple CSRF vulnerability in 7.0 CE GA6

  • CST-7043 Local file disclosure via crafted URL

  • CST-7044 Content spoofing via URL manipulation

  • CST-7045 SMTP header injection vulnerability via Commons Email

  • CST-7042 Open redirect vulnerability in Asset Publisher

  • CST-7039 Password exposure in System Settings

  • CST-7040 Denial of service vulnerability when using Xuggler

  • CST-7041 Unauthorized access to system portlets/applications

  • CST-7038 Multiple permission vulnerabilities in 7.0 CE GA5

  • CST-7037 Multiple XSS vulnerabilities in 7.0 CE GA5

  • CST-7034 Multiple permission vulnerabilities in 7.0 CE GA4

  • CST-7035 Login information exposed in URL

  • CST-7036 Reminder query answer exposed in shared environments

  • CST-7033 Multiple XSS vulnerabilities in 7.0 CE GA4

  • CST-7028 Denial of service vulnerability via crafted URL

  • CST-7029 Denial of service vulnerability via the editing of a wiki page

  • CST-7030 Multiple XSS vulnerabilities in 7.0 CE GA4

  • CST-7031 Velocity/FreeMarker templates do not properly restrict variable usage

  • CST-7032 Paths to OSGi bundles exposed

  • CST-7017 Multiple XSS vulnerabilities in 7.0 CE GA3

  • CST-7018 RCE via TunnelServlet

  • CST-7019 DoS vulnerability via SessionClicks

  • CST-7020 XXE vulnerability in Apache Tika

  • CST-7021 DoS vulnerabilities in Apache Commons FileUpload

  • CST-7022 Open redirect vulnerability in Search

  • CST-7023 Password policy circumvention via forgot password

  • CST-7024 Multiple permission vulnerabilities in 7.0 CE GA3

  • CST-7025 Password exposure during a data migration

  • CST-7026 Password exposure in Server Administration

  • CST-7027 ThreadLocal may leak variables

  • LPS-67681 Search results include results to which a user should not have access

  • LPS-67682 Editing a blogs entry may reset the blog entry's permission

  • LPS-67683 XXE vulnerability in PDFBox

  • LPS-67684 LDAP credentials exposed in logs

  • LPS-67679 Certain types of URL can bypass the portal's open redirect prevention

  • LPS-67676 Reflected XSS in <aui:form> (1)

  • LPS-67677 Reflected XSS in <aui:form> (2)

  • LPS-67678 Various inline JavaScript related XSS

  • LPS-67675 Reflected XSS in Monitoring

  • LPS-66683 All users are site administrators by default

  • LPS-66682 CSRF token is persisted in database

  • LPS-66681 Open redirect vulnerability with Facebook authentication

  • LPS-66680 Restricted WAB resources may be accessible

  • LPS-66679 Various permission issues in 7.0.0

  • LPS-66677 Various XSS issues in 7.0.0

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy