Search Results

All Results 435
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
GDPR-compliant 3rd party cookie handling in 7.3
legacy
Issue Can you backport GDPR-compliant 3rd party cookie handling to 7.3 SP3?  Environment The feature got implemented in DXP 7.4.13-u66. Backporting this feature to 7.3 is not feasible. Resolution There are 3 options...
'Authentication Search Filter' for Users in LDAP
legacy
Issue At the moment, we are using LDAP server connection to authenticate our users. Our question is: in which moment the query to authenticate users is executed? More exactly, when the field 'Authentication Search...
Are URLs that display/download Liferay JS information a vulnerability?
legacy
Issue Some monitoring tools may identify certain URLs that are accessible during routine scans that should not have allowed access. Among the URLs that are typically detected are URLs that can download Liferay's JS...
When trying to access a user's private page, a "404 Page Not Found" populates instead of the Login prompt
legacy
Issue When trying to access a user's private page, we are transferred to a "404 Page Not Found" error page instead of the Login page that we were expecting.  Environment DXP 7.4 Quarterly Release Resolution Not being...
What is the user password algorithm and format of the stored passwords?
legacy
Issue We would like to understand the formatting of passwords as they're saved in Liferay. What algorithm, salt, and hash format is being used to store passwords?  Environment DXP 7.1 Resolution Example Password:...
Service Organization Control (SOC) -1 Type 2 report
legacy
Issue Service Organization Control (SOC) -1 Type 2 report for auditing purposes. Environment Liferay DXP Resolution The SOC-1 report focuses on financial controls and their evaluation and this reporting is not...
A blank SAML redirect screen is seen even with redirect message disabled
legacy
Issue A blank intermediary page (showing "Please select your identity provider" title and /portal/c/portal/login?redirect=%2Fportal%2F&refererPlid=[sanitized]&p_l_id=[sanitized] URL) is being seen even with the hotfix...
How to Disable CAPTCHA on Server Admin Pages
legacy How To
Issue How do you disable CAPTCHA on pages? Site Administration pages like the Gogo Shell now have a CAPTCHA verification. How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work....
Security Issue: CVE-2024-28752 - Apache CXF
legacy
Issue Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks...
LDAP import PermissionChecker not initialized
legacy Troubleshooting
Issue When importing users by Groups and enabling ‘Creating Roles on Import’, the roles and groups will be created/imported, but the users are not imported. Error reads PermissionChecker not initialized...
Critical Remote Code Execution Backdoor Vulnerability
legacy
Issue A critical remote code Backdoor vulnerability was discovered on the open source XZ utils. This is CVE-2024-3094 with a maximum CVSS3 score of 10.0 Environment Liferay DXP 7.4 Resolution The Docker images,...
Unable to embed widgets even with "Allow users to add to any website" enabled
legacy Troubleshooting
Issue I cannot embed widgets on another site (with a different domain) even though I have the checkbox "Allow users to add <portlet> to any website" enabled. "<Hostname> refused connection" error may be seen. ...
Unable to process the OpenID Connect login: Resource URI must be absolute and with no query or fragment
legacy Troubleshooting
Issue Unable to login with OpenID from the Sign-In portlet: ERROR [http-nio-8080-exec-2][OpenIdConnectLoginRequestMVCActionCommand:190] Unable to process the OpenID Connect login: java.lang.IllegalStateException:...
Cipher Keys used in DXP 7.1 and 7.3
legacy
Issue Our security team would like to know whether Liferay DXP 7.1 and DXP 7.3 uses any of the following cipher keys? DES, 3DES, IDEA or RC2 Environment Liferay DXP 7.1 Liferay DXP 7.3 Resolution The algorithms...
Database Permissions Required for Liferay
legacy
Issue Could you please provide us with a list of Database Permissions required for Liferay to function? (We are optimizing our application security concerning the Database) Environment Liferay DXP 7.1...
LOGOUT event is not added to Audit Table
legacy Troubleshooting
Issue LOGOUT event is not being audited when SAML SLO is enabled. Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution This happens because LogoutPreAction and LogoutPostAction classes do not get...
Unable to process OpenID Connect authentication response: Requested value and approved state do not match
legacy
Issue From time to time, error messages like the following appear in logs: 2024-02-14 13:31:55.099 ERROR [http-nio-8080-exec-120][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response:...
Vulnerable JavaScript dependency Bootstrap-select 1.12.4
legacy
Issue The version of bootstrap-select 1.12.4 is vulnerable to attacks. To overcome this, bootstrap-select should be upgraded to a non-vulnerable version. Environment Liferay DXP 7.3  Resolution Liferay does not...
Email are not sent from Liferay when Office365 is used as the server
legacy Troubleshooting
Issue Emails are not sent out from Liferay In the log, we see the following error: liferay[liferay-7] [dxp] ERROR [liferay/mail-6][MailEngine:74] Unable to send message: 535 5.7.139 Authentication unsuccessful, the...
"Text verification failed" Captcha error
legacy Troubleshooting
Issue We are trying to use the Reset Password functionality, but every time we enter the captcha text correctly, we always get an error saying: "Text verification failed". We noticed this same behavior on other...
Vulnerability in Apache Tomcat (CVE-2023-46589)
legacy Troubleshooting
Issue This security vulnerability (CVE-2023-46589) has been reported, and it is fixed in Tomcat 9.0.83. However, our current Liferay DXP 7.4 update 67 has a 9.0.71 Tomcat version. Environment Liferay DXP 7.4...
Liferay 6.2 EE 173 and CVE-2024-25145
legacy
Issue We have found the following article CVE-2024-25145 Stored XSS with search results if highlighting is disabled, however it does not specify whether Liferay 6.2 EE 173 is affected or not. Environment Liferay 6.2 EE...
Can SAML be used to send an attribute that can be used to assign site roles?
legacy
Issue Currently, SAML is not designed to be utilized to send an attribute that can be used to assign site roles. Environment Quarterly Releases Resolution This is an ongoing task, LPD-6336, for Liferay. Liferay is...
OpenID Connect Error - "Signed JWT rejected" with CAS
legacy Troubleshooting
Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found...
/c/ redirects to login page
legacy
Issue When the user tries to access the URL: 'http://localhost:8080/c/', even if the 'c' page doesn't exist, it redirects to the login page instead of a 404 page not found. Environment Liferay DXP [all versions]...
Log messages for Stored XSS vulnerabilities
legacy Troubleshooting
Issue We would like to know whether there are any strings to search for in log files, to check if any of the following vulnerabilities have been exploited in our environment? LSV-1237 / CVE-2023-42628 LSV-1236 /...
Getting 'DuplicateSamlIdpSsoSessionException' in the Debug Logs
legacy Troubleshooting
Issue Users are facing intermittent login issues in the SAML environment; however, the below error is observed frequently in their log files: DEBUG [default task-73687][BaseSamlStrutsAction:61] null...
Security Vulnerability CVE-2023-28708
legacy How To
Issue This security vulnerability (CVE-2023-28708) has been reported, and it is fixed in Tomcat 9.0.72. However, our current Liferay DXP 7.3 SP1 has a 9.0.40 Tomcat version. Environment Liferay DXP 7.3 Resolution...
Error "Invalid site key" when using reCAPTCHA v3
legacy Troubleshooting
Issue When configuring reCAPTCHA v3 and testing it on the "Forgot Password" page, the following error message is reported: "ERROR for site owner: Invalid site key". Environment Liferay DXP 7.2+ Resolution Liferay...
How to enable cookies and the banner, consent panel
legacy How To
Issue How to enable the cookie preference handling as well as the configuration options for both the banner and the consent panel. Environment Liferay DXP 7.4 Resolution This feature was introduced in the Liferay...
SAML Sessions remain Active despite Logout in Liferay
legacy Troubleshooting
Issue We have integrated SAML with our Liferay configuration. We have noticed that after a User logs out, their session remains active in Liferay. Environment Liferay DXP 7.3 Resolution This issue may occur if the...
Requests to Liferay with an invalid HOST request HTTP header returns the default site
legacy Troubleshooting
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue Requests to Liferay with an invalid HOST request...
Access-control-allow-origin CORS Header not honoring System setting Configuration
legacy
Issue When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value. Environment Liferay DXP 7.4 Resolution According to the...
Security Managers, Vul ID: V-222936 STIG 
legacy
Issue Vul ID: V-222936 STIG is flagged when Java Security Managers are not enabled. It states that "The Java Security Manager must be enabled." Environment  DXP 7.1 Resolution Liferay DXP does not currently support...
Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO
legacy Troubleshooting
Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email...
LDAP Related Queries
legacy
Issue If the password is changed in the Active Directory, the user will still be able to log in to DXP? If we delete the user from Active Directory, the user will still be able to log in to DXP? How to import/ export...
Will a curl vulnerability impact Liferay DXP?
legacy
Issue There have been security announcements that are deemed to be a high-risk vulnerability that is caused by curl 8.4.0.   Environment DXP 7.3 Resolution Liferay DXP does not use the libcurl library. In conclusion,...
Vulnerability in CKeditor 4.18.0
legacy Troubleshooting
Issue In Liferay, a vulnerable version of CKEditor 4.18.0 is being used. The vulnerability CVE-2023-28439 is present in the CKEditor versions less than 4.21.0. Environment Liferay DXP 7.0+ Resolution The observed...
Nested Azure AD Groups are not assigned to Liferay groups
legacy Troubleshooting
Issue You want to assign Liferay user groups via dynamic Azure AD groups when logging in with SAML. For this, certain rules of Azure AD groups are in place based on your needs. There might be an issue where nested...
Differentiate multiple Identity Provider when click on the Sign-in button
legacy
Issue How the user can login to specific IDP when multiple IDPs are configured on the portal? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution While using...
Is SELinux compatible with Liferay DXP 7.4?
legacy
Issue Is SELinux configuration compatible with Liferay DXP 7.4? Environment Liferay DXP 7.4 Running on one of the supported Operating Systems Resolution It is possible to set up SELinux to work with Liferay DXP 7.4 It is up to...
Insecure Cross Document Messaging
legacy Troubleshooting
Issue Cross Document Messaging (also known as Web Messaging) introduced the postMessage() method, with which plaintext messages can be sent cross-origin. It consists of two parameters: “message”, and...
CSP headers are not working on DXP-7.4
legacy Troubleshooting
Issue Trying to attempt to work with the CSP feature, which is present in update 90 under feature flags, but users are still experiencing issues where they are unable to edit the page and it is continuously...
How to implement a token system instead of using credentials to access remote services
legacy How To
Issue Trying to write a custom remote service using Liferay (ServiceImpl file), so which method may be used to authenticate using a token rather than credentials? Environment Liferay DXP 7.4 Resolution Liferay has...
Is There A Way To Verify ClamAV Integration With Liferay?
legacy Troubleshooting
Issue We followed the instructions below to enable document virus scanning, but we do not see any way to confirm the ClamAV integration was successful or that file scans are occurring when new files are uploaded to...
ORA-12899 because OpenID access token is too large
legacy
Issue We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the...
AntiSamy sanitizer cleans some of the HTML tags and styles, how can we solve that?
legacy Troubleshooting
Issue We turned on AntiSamy but it removes certain HTML code and CSS styles from our Web Content articles. Environment DXP 7.0+ Resolution Usage of HTML and CSS in Web Content article HTML fields Web content articles...
How is AntiSamy configured?
legacy
Issue We configured AntiSamy to santize Web Content articles. We would like to understand how AntiSamy works and what parts are expected to be removed in Web Content articles. Environment DXP 7.0+ Resolution In the...
Can Liferay Support SP and IDP initiated SAML Simultaneously?
legacy
Issue Our team is the design phase for authentication and we want to know if Liferay supports IDP and SP initiated SAML logins at the same time?  Environment DXP 7.4 Resolution No, a single instance should not be both...
Force Authentication in SAML requiring reauthentication in SP
legacy How To
Issue With SAML and Force Authentication enabled, I am required to reauthenticate requests from the SP Environment DXP 7.3, 7.4 Resolution This behavior is intended, but to avoid manual reauthentication in this...
Captcha authentication via Headless API
legacy
Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the...
Is there a way identify When was the user Deactivated and by Whom?
legacy How To
Issue Is there a possible way to find out when was the exact date the Liferay user was deactivated and by whom? Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution Please run the attached Groovy script to get a...
How can I access OpenIdConnectProvider classes in 7.4 U34+?
legacy How To
Issue The Liferay classes com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider; and com.liferay.portal.security.sso.openid.connect.OpenIdConnectProviderRegistry; were removed in U34+...
How do we Toggle Requirement for Strangers to Verify their Email Address
legacy How To
Issue How do we toggle the requirement for strangers to verify their email address  Environment DXP 7.4 Resolution This setting can be toggled by going to: Instance Settings > User Authentication. From here, you can...
Checking for vulnerability to CVE-2022-42889
legacy Troubleshooting
Issue Is our Liferay instance vulnerable to CVE-2022-42889?  Environment DXP 7.4, DXP 7.3, DXP 7.2, DXP 7.1, DXP 7.0  Resolution Look for commons-text in ${liferay.home}/license/versions.html, if you do not find it, you...
How to test for vulnerabilitity to CVE-2020-7961
legacy How To
Issue We would like to determine if we are vulnerable to CVE-2020-7961. Environment DXP 7.3, DXP 7.2,  DXP 7.1, DXP 7.0 Resolution The steps to test for vulnerability to CVE-2020-7961 are as follows:   1. Start your...
CVE-2020-28885 and CVE-2020-28884
legacy
Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell...
Is Liferay vulnerable to CVE-2023-40371 and CVE 2023-38408?
legacy
Issue Is Liferay vulnerable to any of these vulnerabilities? Environment DXP 6.2+ Resolution No, Liferay is not vulnerable to any of these two. Neither CVE relates to any Liferay features, so they do not...
What should be done when answers to the security questions are forgotten?
legacy How To
Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a...
0Auth2.0 issues new token every time even before token's expiration time
legacy
Issue The access_token expiration default is set to 10 minutes. When invoking the /oauth2/token before the previous token expires, a brand new token is issued instead of the original token.  Environment DXP 7.4...