📦 Liferay Portal
by Liferay
🔍 What is Liferay Portal?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
This vulnerability in Liferay Portal and DXP allows improper access through the expandoTableLocalService, potentially enabling unauthorized data access or manipulation. It affects Liferay Portal 7.4.0...
This vulnerability allows attackers to upload unrestricted files through Liferay's style books component, which are then processed within the environment, leading to arbitrary code execution. It affec...
A path traversal vulnerability in Liferay Portal and DXP allows remote attackers to write arbitrary files to server locations and download/execute arbitrary files from a download server. This affects ...
This CSRF vulnerability in Liferay's Script Console allows attackers to execute arbitrary Groovy code on affected servers by tricking authenticated administrators into clicking malicious links or thro...
This vulnerability allows remote authenticated users to modify workflow definitions in Liferay Portal/DXP, leading to arbitrary code execution (RCE). It affects Liferay Portal 7.3.2 through 7.4.3.111 ...
This stored XSS vulnerability allows authenticated attackers to inject malicious scripts into document titles in Liferay's Document and Media widget. When other users view these documents, the scripts...
This CVE describes multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP. Authenticated attackers can inject malicious scripts into user profile name fields that then ex...
This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into the Language Override edit screen. When exploited, it can enable ses...
This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts into the 'Blocked Email Domains' text field. When exploited, this ...
This stored cross-site scripting (XSS) vulnerability in Liferay's Expando module allows authenticated attackers to inject malicious scripts into geolocation custom field names. When other users view p...
This cross-site scripting (XSS) vulnerability in Liferay's HtmlUtil.escapeJsLink function allows attackers to inject malicious JavaScript or HTML through crafted javascript: links. Attackers can execu...
This vulnerability allows remote authenticated users to inject malicious JavaScript or HTML into blog entries in Liferay Portal/DXP, leading to cross-site scripting (XSS) attacks. It affects Liferay P...
This stored XSS vulnerability in Liferay's Portal Search module allows authenticated attackers to inject malicious scripts into search results when highlighting is disabled. Successful exploitation en...
This reflected cross-site scripting (XSS) vulnerability in Liferay Portal allows remote attackers to inject malicious scripts or HTML via the p_l_back_url_title parameter on content edit pages. Succes...
This vulnerability allows remote attackers to inject malicious scripts into multiple address fields in Liferay's Commerce module. When exploited, these stored XSS payloads execute in victims' browsers...
This stored XSS vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into wiki pages through the content field. When other users view the compromised wiki page, the script ...
A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into page names. When users view affected pages, the scripts execute in their b...
This stored cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into vocabulary descriptions. When users view the affected vocabulary page, the ...
This reflected cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into the Export for Translation page of affected Liferay systems. When exploited, it can enable ses...
This vulnerability allows remote attackers to perform denial-of-service attacks against Liferay Portal/DXP by sending Headless API requests that return excessive numbers of objects, overwhelming serve...
This vulnerability in Liferay Portal and DXP allows remote attackers to trigger denial of service attacks by exploiting the ComboServlet's lack of limits on file combination. Attackers can craft reque...
This vulnerability in Liferay Portal/DXP allows remote attackers to perform path traversal attacks via the ComboServlet, potentially accessing arbitrary CSS and JS files and causing denial-of-service ...
This vulnerability allows attackers who control a website sharing the same top-level domain (TLD) to read cookies set by Liferay applications. It affects Liferay Portal and DXP versions through improp...
This vulnerability allows remote attackers to perform denial-of-service attacks on Liferay Portal/DXP by exploiting GraphQL queries that return unlimited objects. Attackers can overwhelm server resour...
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users to access, create, edit, and relate data across different virtual ...
This vulnerability allows authenticated admin users with Instance Administrator role to execute arbitrary Groovy scripts through Object actions in Liferay Portal/DXP, leading to remote code execution....
This vulnerability allows authenticated users without specific permissions to access sensitive information of admin users via JSONWS APIs in Liferay Portal and DXP. It affects Liferay Portal 7.4.0-7.4...
This CVE describes a pre-authentication blind Server-Side Request Forgery (SSRF) vulnerability in Liferay Portal and DXP. Attackers can force vulnerable servers to make arbitrary HTTP requests to inte...
This vulnerability in Liferay Portal and DXP allows remote attackers to cause denial-of-service by consuming system memory through crafted HTTP requests. Attackers can save unlimited request parameter...
This vulnerability allows remote attackers to perform denial-of-service attacks on Liferay Portal/DXP by sending complex GraphQL queries that overwhelm system resources. Affected systems include Lifer...
This CSRF vulnerability in Liferay Portal/DXP allows attackers to trick authenticated users into performing unauthorized actions by clicking malicious links. Attackers can change passwords, shut down ...
A CSRF vulnerability in Liferay Portal and DXP allows attackers to trick authenticated administrators into performing unauthorized actions. Attackers can change user passwords, shut down servers, exec...
This XXE vulnerability in Liferay Portal and DXP allows authenticated attackers with deployment permissions to read sensitive files or cause denial of service through XML parsing. It affects administr...
This vulnerability in Liferay Portal's Portal Security module allows remote attackers to perform account lockout attacks by attempting to authenticate as users that exist in LDAP directories. This pre...
CVE-2020-28884 is an OS command injection vulnerability in Liferay Portal Server that allows authenticated administrators to execute arbitrary operating system commands through Groovy script injection...
This vulnerability allows remote attackers to enumerate user email addresses through Liferay's forgot password functionality due to an insecure default configuration. Affected systems include Liferay ...
This vulnerability in Liferay Portal's Dynamic Data Mapping module allows unauthenticated remote attackers to view form values that were autosaved by other users. It affects Liferay Portal 7.1.0 throu...
This vulnerability allows remote attackers to view images in blog entries without proper permission checks in Liferay Portal and DXP. Attackers can access restricted images via crafted URLs. Affected ...
This vulnerability allows local users to access downloaded files via browser cache due to incorrect cache-control headers in Liferay's Document Library and Adaptive Media modules. It affects Liferay P...
This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP that allow remote attackers to inject malicious scripts or HTML into user profile fields. Attackers can...
This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts or HTML via a specific parameter. Attackers can steal session cook...
This CVE describes a cross-site scripting (XSS) vulnerability in Liferay Portal and DXP's Blogs widget. Attackers can inject malicious <iframe> elements without sandbox attributes into blog content, a...
This CVE describes a DNS rebinding vulnerability in Liferay Portal and DXP that allows attackers to redirect users to malicious external URLs. Affected systems include Liferay Portal 7.4.0-7.4.3.119 a...
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Liferay Portal's Headless API that allows attackers to execute any Headless API endpoint via the 'endpoint' parameter. It affect...
This vulnerability allows remote users to access and edit content via APIs in Liferay Portal and DXP before email verification, bypassing intended access controls. It affects Liferay Portal 7.4.0 thro...
This vulnerability allows local users to view user email addresses in log files through the LDAP import feature in Liferay Portal and DXP. It affects Liferay Portal 7.4.0 through 7.4.3.97 and Liferay ...
This open redirect vulnerability in Liferay Portal and DXP allows attackers to redirect authenticated users to malicious external websites by manipulating the redirect parameter in page administration...
This CVE describes a self cross-site scripting (XSS) vulnerability in Liferay Portal and DXP that allows remote attackers to inject malicious scripts or HTML via specially crafted attachment filenames...
This vulnerability allows remote attackers to access Liferay's OpenAPI YAML file through a crafted URL, potentially exposing API documentation and internal system details. It affects Liferay Portal 7....
This vulnerability allows authenticated users in Liferay Portal/DXP to access and select unauthorized Blueprints through Collection Providers across instances due to missing authorization checks. It a...
A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript via a specific parameter. When victims access crafted URLs ...
A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote unauthenticated attackers to inject malicious JavaScript into the google_gadget component. This affects use...
This CVE describes stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP where authenticated users can inject malicious scripts into various comment fields. When other users view...
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users in one virtual instance to assign organizations to users in differ...
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users to access other users' address information by manipulating the add...
A CSRF vulnerability in Liferay Portal and DXP allows attackers to add or edit publication comments without user consent. This affects Liferay Portal 7.4.1-7.4.3.112 and Liferay DXP 2023.Q4.0-2023.Q4....
This cross-site scripting (XSS) vulnerability in Liferay's workflow process builder allows authenticated attackers to inject malicious scripts or HTML into workflow definitions. The vulnerability affe...
A stored cross-site scripting (XSS) vulnerability in Liferay's Commerce view order page allows attackers to inject malicious scripts into account name fields. When users view orders containing these m...
This stored XSS vulnerability allows authenticated attackers to inject malicious scripts into the Account Name field on the Membership page in Liferay Portal/DXP. When other users view the affected pa...
This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP calendar events. Attackers can inject malicious scripts into user name fields (First, Middle, Last) tha...
This CVE describes multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP notifications widget. Attackers can inject malicious scripts into user profile fields and conten...
A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into forms with rich text fields. When users view or interact with these compro...
This stored cross-site scripting (XSS) vulnerability in Liferay's diagram type products allows remote attackers to inject malicious scripts or HTML via crafted SVG files. When exploited, it enables at...
This CVE describes stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP where attackers can inject malicious scripts into Terms and Conditions fields. The injected scripts execu...
This cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious scripts into Commerce Product Name fields in Liferay Portal and DXP. When exploited, it can enable session hij...
This vulnerability allows authenticated users to manipulate file extensions when downloading vCard files from the Profile widget in Liferay. Attackers could potentially deliver malicious files disguis...
This vulnerability in Liferay Portal and DXP allows unauthorized actors to access sensitive user data through Freemarker templates. It affects multiple versions of Liferay Portal 7.4 and Liferay DXP f...