Search Results

All Results 437
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
Guest users are able to access an endpoint if PortalSessionAuthVerifier is enabled
legacy Troubleshooting
Issue We have followed this How-To article: How to add security, authentication to my REST service? (Section 5.1), but guest users are still able to access our endpoint from a browser. If we enable...
Plain text can still be seen despite SSL
legacy
Issue Even if SSL (or TLS) is enabled, the login credentials are in plain text while intercepting requests with Burp Suite. Environment Liferay DXP 7.3 Resolution If a user utilizes the burp suite as a proxy, they...
Error "Invalid domain for site key" when using reCAPTCHA
legacy Troubleshooting
Issue When using Google's reCAPTCHA, the CAPTCHA option won't show, instead the message "Invalid domain for site key" is displayed where the CAPTCHA should be. Environment Any Liferay DXP version with...
log4j-core-2.13.3.jar exists inside the fix pack
legacy Troubleshooting
Issue This article highlights the concern with the following path of log4j lower version jars. {liferay_home}/patching-tool/patches/liferay-fix-pack-dxp-16-7210.zip!binaries/MODULES_BASE_PATH/marketplace/Liferay...
After changing the password, site members are not redirected to a page where they don't have the guest view permission
legacy Troubleshooting
Issue After changing the password, site members are not redirected to a page Steps to reproduce: 1) Start the server, login as Admin 2) Create a new page e.g. /testpage and remove the VIEW permission for the Guest...
Password reminder answers are not masked
legacy Troubleshooting
Issue As Liferay DXP does not hide password reminder answers, attackers can capture user's password reminder answers through man-in-the-middle or shoulder surfing attacks. Environment Liferay DXP 7.0 Liferay DXP...
Is there a REST API method to revoke the OAuth2 tokens?
legacy How To
Issue We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 Does Liferay provide this functionality?...
New user is not being able to login properly
legacy Troubleshooting
Issue A new user (this also happens to LDAP users) is unable to log-in the first time, but seems to be able to log-in on the second attempt. Steps to reproduce: 1) Create a guest user from Create Account tab at the...
The birthday is reset to {01/01/1970} on LDAP import
legacy Troubleshooting
Issue Every time a user is logged in, the birthday is automatically updated to the default value {01-01-1970}. We configured the LDAP server in Instance Settings. Environment Liferay DXP 7.2 Liferay DXP 7.3...
Vulnerability issues related to the EJS version in Fragments Toolkit
legacy Troubleshooting
Issue Vulnerability issues (ejs template injection vulnerability) were reported related to the EJS version inside the yarn.lock file while building fragments using the fragments toolkit. The EJS version is...
Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO
legacy Troubleshooting
Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email...
Is it Liferay vulnerable to the Log4j Vulnerability CVE-2019-17571?
legacy
Issue After search in the following folder:/tomcat/webapps/ROOT/WEB-INF/lib/log4j-extras.jar is notice that the log4 is available as part of product, so the Liferay is it vulnerable to this lib? Environment All...
Nested Azure AD Groups are not assigned to Liferay groups
legacy Troubleshooting
Issue You want to assign Liferay user groups via dynamic Azure AD groups when logging in with SAML. For this, certain rules of Azure AD groups are in place based on your needs. There might be an issue where nested...
Is SELinux compatible with Liferay DXP 7.4?
legacy
Issue Is SELinux configuration compatible with Liferay DXP 7.4? Environment Liferay DXP 7.4 Running on one of the supported Operating Systems Resolution It is possible to set up SELinux to work with Liferay DXP 7.4 It is up to...
Insecure Cross Document Messaging
legacy Troubleshooting
Issue Cross Document Messaging (also known as Web Messaging) introduced the postMessage() method, with which plaintext messages can be sent cross-origin. It consists of two parameters: “message”, and...
High CPU utilisation while using script to login users continuously
legacy Troubleshooting
Issue Facing high CPU utilization while logging-in high number of users per minute continuously (24x7) using username-password authentication, mostly while fetching data using some scripts. Environment Liferay DXP...
How to implement a token system instead of using credentials to access remote services
legacy How To
Issue Trying to write a custom remote service using Liferay (ServiceImpl file), so which method may be used to authenticate using a token rather than credentials? Environment Liferay DXP 7.4 Resolution Liferay has...
ORA-12899 because OpenID access token is too large
legacy
Issue We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the...
AntiSamy sanitizer cleans some of the HTML tags and styles, how can we solve that?
legacy Troubleshooting
Issue We turned on AntiSamy but it removes certain HTML code and CSS styles from our Web Content articles. Environment DXP 7.0+ Resolution Usage of HTML and CSS in Web Content article HTML fields Web content articles...
Can Liferay Support SP and IDP initiated SAML Simultaneously?
legacy
Issue Our team is the design phase for authentication and we want to know if Liferay supports IDP and SP initiated SAML logins at the same time?  Environment DXP 7.4 Resolution No, a single instance should not be both...
Captcha authentication via Headless API
legacy
Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the...
Security Issue Concerning Google Guava Versions 1.0 to 32
legacy How To
Issue There is a present vulnerability with Google Guava that affects the versions from 1.0 to 31.1. Liferay is currently bundled with Guava. It has been reported that...
Checking for vulnerability to CVE-2022-42889
legacy Troubleshooting
Issue Is our Liferay instance vulnerable to CVE-2022-42889?  Environment DXP 7.4, DXP 7.3, DXP 7.2, DXP 7.1, DXP 7.0  Resolution Look for commons-text in ${liferay.home}/license/versions.html, if you do not find it, you...
How to test for vulnerabilitity to CVE-2020-7961
legacy How To
Issue We would like to determine if we are vulnerable to CVE-2020-7961. Environment DXP 7.3, DXP 7.2,  DXP 7.1, DXP 7.0 Resolution The steps to test for vulnerability to CVE-2020-7961 are as follows:   1. Start your...
CVE-2020-28885 and CVE-2020-28884
legacy
Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell...
How can we set the requireSSL property?
legacy How To
Issue How can we enable the requireSSL attribute in Liferay? Environment Liferay DXP 7.0+ Resolution You can set that in your JDBC properties:...
What should be done when answers to the security questions are forgotten?
legacy How To
Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a...
Does having a script in a button fragment qualify as a potential XSS vulnerability?
legacy
Issue We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie) Can that be a vulnerability to Cross Site...
Liferay accepts only fully signed SAML responses. Can this requirement be turned off?
legacy
Issue From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps. I can understand that Liferay by default requires the complete signature of...
Does CVE-2022-1471 affects DXP 7.4?
legacy Troubleshooting
Issue Our scanner reported that the Liferay DXP image as well as the Elasticsearch image are vulnerable to CVE-2022-1471, which is about an issue with SnakeYaml. Could you please confirm if we have to address this...
How to extract the okta authorization token for each user?
legacy Troubleshooting
Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta...
Unable to extend user session on Weblogic
legacy Troubleshooting
Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help...
Is One Time Password's expiration configurable?
legacy
Issue When does One Time Password expire? Can you set the validity timeframe of the OTP? Environment DXP 7.2+ Resolution OTP is HTTP session based, if the session expires, OTP expires as well. And it can only be used...
Security configuration related to session management
legacy
Issue There are some security configuration requirement regarding session management. Environment Liferay DXP 7.4 Resolution Application uses the 'referrer' header as a supplemental check only, and not just for any...
OpenID Connect Error - "Signed JWT rejected"
legacy Troubleshooting
Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found...
Is Liferay's SAML Service Provider Logout URL required in the Identity Provider?
legacy Troubleshooting
Issue Azure's SAML Identity Provider (IdP) marks the Service Provider's (SP) Logout URL as "optional" However, when I remove Liferay's Logout URL from Azure's SAML configurations, Liferay users are not signed out...
XSS and Web Content editing
legacy Troubleshooting
Issue Web Content Editing If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could...
Where is the password reset email set up and in what priority order?
legacy
Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us....
Does Liferay DXP validate Session Identifiers?
legacy
Issue Does Liferay DXP validate Session Identifiers? And yes, Liferay does validate Session Identifiers! Environment Liferay DXP Resolution As for the session configuration in the portal we have the...
SQL injection Sleepy user agent attack
legacy
Issue Liferay does not restrict a URL that has a 'sleepy user agent' query appended to it like: https://domain/page?1%2b(select*from(select(sleep(x)))a)%2b=1 Environment Liferay DXP 7.4 Resolution Sleepy user agent...