Search Results

Issue Our security scan has shown CVE-2022-47966 as an active critical vulnerability. Is Liferay affected? Environment DXP 7.2 Resolution The out-of-the-box Liferay product is not affected by this vulnerability. So, unless you use this library in a custom implementation, your system can...

Issue HTTP methods like HEAD, OPTIONS, TRACE may provide information about the application that can be used in attacks like XST, CSRF, steal of sensitive information. How we can disable insecure/unnecessary http methods? How to enable the SECURE attribute to disallow the cookie to be...

Issue Liferay does not restrict a URL that has a 'sleepy user agent' query appended to it like: https://domain/page?1%2b(select*from(select(sleep(x)))a)%2b=1 Environment Liferay DXP 7.4 Resolution Sleepy user agent payload gets a page in sleep mode(inactive) for x seconds of time, which...

Issue The Download Certificate button doesn't work in the SAML Admin. When I click on the Download Certificate button, nothing happens. Redirect URL errors are seen in Liferay logs, such as: [http-nio-8080-exec-10][PortalImpl:991] Redirect URL...

Issue When attempting to create a new Identity Provider under SAML Admin, having entered the required information, when ‘Save’ is clicked the UI displays: "Error: Please enter a valid identity provider entity ID." The logs show: INFO  [http-nio-8084-exec-19][SamlAdminPortlet:77] Metadata...

Issue I've found vulnerabilities in our current jQuery version. Since I can't find jQuery used anywhere, I would like to disable it. Environment Liferay DXP 7.2 Resolution Go to Control Panel --> System Settings --> Third Party --> jQuery Tick off the Enable jQuery checkbox Save,...

Issue A blank screen (with url http://localhost:8080/c) is seen after user password is reset. The expected behavior after password reset is for users to A) be successfully redirected to Liferay home page and B) remain logged in. However, in DXP 7.4 u50 (and below)...

Issue When not logged in, and user attempts to navigate to private page's URL, instead of being prompted to log in, a 'Not Found' page is seen instead. Environment DXP 7.4 Resolution In DXP 7.3, when users are not logged in and they navigate to a private page's URL, they are prompted to...

Issue The guest user observed the message "Redirecting to your identity provider" showed up before the OKTA user login screen showed up. The behavior just happened after upgrading the environment to 7.4 Update 56. We don't want the front-end users to see this message.  Environment...

Issue How can I mitigate vulnerability CVE-2022-38749, CVE-2022-38750, CVE-2022-38751 and CVE-2022-38752 regarding Liferay DXP? Environment Liferay Portal 6.2 EE Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 (until the U47) Resolution Upgrade to Liferay...

Issue The custom site panel category entries' panel app permissions do not work as intended. We are unable to grant permissions to access the panel app through a "Site role" if the category key does not start with "site_administration." It will only work if we grant the permission with a...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Does the Apache Tomcat vulnerabilityCVE-2022-45143affect Liferay?...

Issue Unable to connect to Open LDAP in DXP due to the following UI error Environment Liferay DXP 7.4 Resolution These errors typically occur when Liferay is unable to communicate with LDAP or when mapping mistakes are made. As a result, please ping both servers to ensure that they can...

Issue A security scan has picked up the following vulnerabilities related to struts-core:  CVE-2012-1007, CVE-2014-0112 CVE-2014-0112: ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to...

Issue I would like to check who and what deleted pages or data from the Liferay system. Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution There are two ways of checking who and what deleted data: 1. From the UI by utilizing the Audit option, by going to the main menu on the upper...

Issue For security reasons we need to update the moment.js library from version 2.24.0 to version 2.29.4 How do I update the moment.js library in Liferay DXP? Security vulnerabilities in moment.js 2.24.0: CVE-2022-31129, CVE-2022-24785 Environment Liferay DXP 7.1+ Resolution The...

Issue How can I adjust the JSESSIONID cookie's SameSite attribute from None to Strict? Environment Liferay DXP 7.1 - 7.4 Resolution The JSessionID cookie's attributes are set by your application server or web server. When using a Liferay environment with a bundled Tomcat application...

Issue We are seeing many abnormal errors in our Liferay catalina logs all of sudden. We have tried restarting, but the errors continue. What could these mean? ERROR [ajp-nio-0.0.0.0-8009-exec-19][MVCPortlet:557] ${@print(md5(31337))}\ is not a valid include ERROR...

Issue The password encryption algorithm of existing users is not being updated after doing a password reset. Environment DXP 7.4 Resolution To resolve this behavior, open a help center ticket to request a hotfix containing LPS-165014, or update your installation to DXP 7.4 update 54 and...

Issue Characters as <, >, /, (, ), ", ' which can be used to make scripts, used in HTML and JavaScript are valid to use in the portal as inputs and values, and it can raise security questions The use of these characters did not throw any warning or error messages, neither on the UI nor...