Search Results

All Results 437
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
Is Liferay DXP affected by CVE-2024-38286?
legacy Troubleshooting
Issue Is Liferay DXP affected by CVE-2024-38286? CVE-2024-38286 is an Apache Tomcat vulnerability wherein Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by...
Password for LDAP and Liferay users should not expire
legacy Troubleshooting
Issue After integrating Liferay with the LDAP server for users, the passwords for the users are expiring after some time and are required to be reset again. Is there any way for the passwords to never...
Multi-Factor Authentication via SMS
legacy
Issue We want to set up MFA via SMS without using any external Apps. Is this possible with Liferay out-of-the-box? Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution MFA by SMS is not...
CVE-2022-22950
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2022-22950. The CVE claims that in Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a...
[T003] Open redirect in /c/document_library/find_folder with DNS rebinding vulnerability
legacy Troubleshooting
Issue Medium threat found during the performance testing: [T003] Open redirect in /c/document_library/find_folder with DNS rebinding Environment Liferay Quarterly release Resolution The reported concern has been...
Enabling SSO for our Liferay Console prevents logging in with email and password
legacy
Issue After enabling SSO for our Liferay Console, we are no longer able to log in with email and password.  Environment DXP 7.4 Resolution This is expected behavior, as per the Official documentation for SSO: "The first...
CVE-2023-52428
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2023-52428. Environment DXP 7.4, 2023.Q4 Resolution Contact Customer Support to request a hotfix containing LPE-18064. Additional Information...
Vulnerability: Robots.txt file must not be accessed and should be blocked
legacy Troubleshooting
Issue Encountered a vulnerability issue with the robots.txt file and the vulnerability test suggests preventing the robots.txt file from being accessed. Environment Liferay DXP 7.3 Liferay DXP 7.4...
GitHub Token Leak Exposure
legacy
Issue GitHub Personal Access Token has been leaked in a public Docker container hosted on Docker Hub. Some of the malicious packages like testbrojct2, proxyfullscraper, proxyalhttp and proxyfullscrapers work...
HTTP Strict-Transport-Security Header in Liferay
legacy
Issue Is HTTP Strict-Transport-Security Header enabled in Liferay? Environment Liferay DXP 7.4 Resolution Liferay enables HTTP security headers such as 'http.header.secure.x.content.type.options',...
Unable to Cancel Shutdown Event
legacy Troubleshooting
Issue After scheduling a shutdown event, and trying to cancel it, you see an error: "Error:Text verification failed."   When trying to cancel a shutdown event, I'm prompted to input a CAPTCHA, but there is...
A simple example and key factors to check when testing custom OAuth 2.0 applications
legacy How To
Issue You have created an OAuth 2.0 application and would like to set up the minimum configuration to be able to test it. This article provides a simple example that could be adapted to your needs....
OpenID Connect Client Secret field must be filled
legacy Troubleshooting
Issue I configured an OpenID Connect Provider Connection. When I try to login using the OpenID  Connect Client Name, I get an internal server error. In logs, a java exception is thrown: WARN [http...
Residual risk after limiting the usage of unsafe-eval and unsafe-inline
legacy
Issue Can the derivatives unsafe-eval and unsafe-inline be exploited? If yes, how it is done? What is the residual risk associated with this? Can Content Security Policy (CSP) be resolved by adding a reverse...
Remove extend_session for Guest users
legacy
Issue Guest users should not be able to see the extend_session message in the browser once the session has expired. Environment Liferay DXP [7.1-7.4, Quarterly Releases] Resolution Post observing the time...
Access revoked after task assignment to another user
legacy How To
Issue Once the user assigns the task to another user, then the previous user loses access to that task and is unable to see that in the 'Assigned to my roles' tab of 'My workflow Tasks'. Steps to reproduce: 1....
CVE-2013-3587- enable of HTTP compression
legacy Troubleshooting
Issue Security vulnerability CVE-2013-3587 details a breach attack that is possible with the enable of HTTP compression and Deflate. Steps to see the behvaior: Navigate to any of the pages on the Liferay server....
Provide other permissions to Guest user beside just view permission
legacy
Issue Can users give permission to the guest users to use the headless API to create, update, delete, etc. for documents & media, besides just the VIEW permission? Environment Liferay DXP 7.4 Resolution These...
Can you add a theme or fragments to action pages?
legacy Troubleshooting
Issue How do I add fragments to action pages like /c/portal/update_password and /c/portal/update_reminder_query? Our theme reverts on utility/action pages /c/ When a user is taken to the...
Polyfill.io Vulnerability: Is Liferay affected?
legacy
Issue An attribute polyfill:true is observed in the source code of the website. Does it have anything to do with the domain 'https://polyfill.io'? Is Liferay affected by the Polyfill.js vulnerability? ...
The Impersonation Attempt Fails Without Errors in the Logs or UI
legacy Troubleshooting
Issue Admin users are unable to impersonate other users. When attempting to impersonate, a new tab opens, but it remains on the original user. Impersonation attempts fail, the `doAsUserId?` is missing from...
Is Liferay vulnerable to CVE-2023-50164?
legacy
Issue After running a scan, we received an alert about a possible vulnerability in Liferay. We want to confirm if we are vulnerable to CVE-2023-50164. Environment All environments. Resolution Liferay is not...
Deprecation of Liferay Sync
legacy
Issue I'd like to inquire about the support for Liferay 7.4 in the Liferay Sync. Currently, the Compatibility Matrix only lists support for Liferay DXP 7.3. Environment Liferay DXP 7.4+ Resolution Liferay Sync got...
Redirecting to login page when authenticated via SAML returns a 500 error
legacy Troubleshooting
Issue Navigating to to the login page /c/portal/login on the SP throws a 500 error when already logged in through SAML. Environment DXP 7.3 DXP 7.4 Resolution This is a known issue affecting DXP 7.4 U80 and lower and...
Vulnerability on spring-web
legacy
Issue The security scanner flagged the Liferay with the security vulnerability due to the JAR containing the vulnerable classes, reported here CVE-2016-1000027. Environment Liferay DXP 7.4 Resolution It's been...
Enable/Disable Multi-Factor Authentication
legacy How To
Issue If there is any problem related with the way two-factor is working or do you simply want to deactivate it for some reason. Environment Liferay DXP 7.4 2023 Q1 - 2023 Q4 2024 Q1 Resolution There are two...
The users imported from LDAP cannot change their password
legacy Troubleshooting
Issue The users who were imported from LDAP cannot modify their passwords from My Account. Environment All Liferay DXP environments Resolution Make sure that LDAP Export option is enabled. Ensure that the credentials...
GDPR-compliant 3rd party cookie handling in 7.3
legacy
Issue Can you backport GDPR-compliant 3rd party cookie handling to 7.3 SP3?  Environment The feature got implemented in DXP 7.4.13-u66. Backporting this feature to 7.3 is not feasible. Resolution There are 3 options...
'Authentication Search Filter' for Users in LDAP
legacy
Issue At the moment, we are using LDAP server connection to authenticate our users. Our question is: in which moment the query to authenticate users is executed? More exactly, when the field 'Authentication Search...
Web Server keeps asking for basic authentication when using a Client Extension that makes a request via OAuth to Liferay API
legacy Troubleshooting
Issue A Web Server before the Liferay environment is configured with Basic Auth. Liferay uses a Client Extension (CX) that makes a request to a Liferay API using OAuth. When the page using the CX is loaded, the Web...
Microsoft Azure Key Vault with Liferay DB
legacy How To
Issue Can we use Azure Key Vault with DB setup configuration in Liferay instead of having it in plain text in the properties file? Is there any way to configure the DB in Liferay using Azure Key Vault? How we can use...
'Email Account Activity: New Sign-In detected for your account' received which is an unwanted email
legacy
Issue Receiving unwanted email notifications like "Your email account abc@xyz.org.in was signed into from a new location, device, browser, or application" from GoDaddy. Below are the details received:   From:...
Tomcat Vulnerability Impact (CVE-2023-28708)
legacy
Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue...
Are URLs that display/download Liferay JS information a vulnerability?
legacy
Issue Some monitoring tools may identify certain URLs that are accessible during routine scans that should not have allowed access. Among the URLs that are typically detected are URLs that can download Liferay's JS...
When trying to access a user's private page, a "404 Page Not Found" populates instead of the Login prompt
legacy
Issue When trying to access a user's private page, we are transferred to a "404 Page Not Found" error page instead of the Login page that we were expecting.  Environment DXP 7.4 Quarterly Release Resolution Not being...
What is the user password algorithm and format of the stored passwords?
legacy
Issue We would like to understand the formatting of passwords as they're saved in Liferay. What algorithm, salt, and hash format is being used to store passwords?  Environment DXP 7.1 Resolution Example Password:...
Service Organization Control (SOC) -1 Type 2 report
legacy
Issue Service Organization Control (SOC) -1 Type 2 report for auditing purposes. Environment Liferay DXP Resolution The SOC-1 report focuses on financial controls and their evaluation and this reporting is not...
Is Liferay 7.4 vulnerable to CVE-2024-25148?
legacy
Issue We've reviewed the official documentation (https://nvd.nist.gov/vuln/search/results) which lists some Liferay versions affected, so we would like to know if the 7.4 versions is vulnerable to this CVE....
Liferay's OpenID Connect implementation does not account for language variations for ui_locales
legacy
Issue Liferay's OpenID Connect implementation does not account for language variations for ui_locales. For example, Selecting English (United States) on Liferay sets ui_locales to en. Selecting Chinese (either Traditional...
A blank SAML redirect screen is seen even with redirect message disabled
legacy
Issue A blank intermediary page (showing "Please select your identity provider" title and /portal/c/portal/login?redirect=%2Fportal%2F&refererPlid=[sanitized]&p_l_id=[sanitized] URL) is being seen even with the hotfix...
How to Disable CAPTCHA on Server Admin Pages
legacy How To
Issue How do you disable CAPTCHA on pages? Site Administration pages like the Gogo Shell now have a CAPTCHA verification. How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work....
Security Issue: CVE-2024-28752 - Apache CXF
legacy
Issue Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks...
LDAP import PermissionChecker not initialized
legacy Troubleshooting
Issue When importing users by Groups and enabling ‘Creating Roles on Import’, the roles and groups will be created/imported, but the users are not imported. Error reads PermissionChecker not initialized...
Critical Remote Code Execution Backdoor Vulnerability
legacy
Issue A critical remote code Backdoor vulnerability was discovered on the open source XZ utils. This is CVE-2024-3094 with a maximum CVSS3 score of 10.0 Environment Liferay DXP 7.4 Resolution The Docker images,...
Unable to embed widgets even with "Allow users to add to any website" enabled
legacy Troubleshooting
Issue I cannot embed widgets on another site (with a different domain) even though I have the checkbox "Allow users to add <portlet> to any website" enabled. "<Hostname> refused connection" error may be seen. ...
Observing 'Your connection is not private' Warning on Help Center Downloads
legacy Troubleshooting
Issue When trying to download a quarterly release from Liferay's Help Center we are getting a browser error that says 'Your connection is not private... Attackers might be trying to steal your information...'...
Unable to process the OpenID Connect login: Resource URI must be absolute and with no query or fragment
legacy Troubleshooting
Issue Unable to login with OpenID from the Sign-In portlet: ERROR [http-nio-8080-exec-2][OpenIdConnectLoginRequestMVCActionCommand:190] Unable to process the OpenID Connect login: java.lang.IllegalStateException:...
Cipher Keys used in DXP 7.1 and 7.3
legacy
Issue Our security team would like to know whether Liferay DXP 7.1 and DXP 7.3 uses any of the following cipher keys? DES, 3DES, IDEA or RC2 Environment Liferay DXP 7.1 Liferay DXP 7.3 Resolution The algorithms...
Is Liferay Affected by CVE-2023-49070?
legacy
Issue How can I mitigate vulnerability with CVE-2023-49070 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the Apache OFBiz, so Liferay is not impacted by this vulnerability....
Database Permissions Required for Liferay
legacy
Issue Could you please provide us with a list of Database Permissions required for Liferay to function? (We are optimizing our application security concerning the Database) Environment Liferay DXP 7.1...
LOGOUT event is not added to Audit Table
legacy Troubleshooting
Issue LOGOUT event is not being audited when SAML SLO is enabled. Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution This happens because LogoutPreAction and LogoutPostAction classes do not get...
Unable to process OpenID Connect authentication response: Requested value and approved state do not match
legacy
Issue From time to time, error messages like the following appear in logs: 2024-02-14 13:31:55.099 ERROR [http-nio-8080-exec-120][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response:...
Obfuscating property values and rendering them as asterisks(*****) in the Control Panel.
legacy How To
Issue Certain property values need to be hidden in the Control Panel.  Environment DXP 7.4 Resolution To obfuscate the value of a portal property and have it appear as a string of asterisks (****) in the Control Panel,...
Vulnerable JavaScript dependency Bootstrap-select 1.12.4
legacy
Issue The version of bootstrap-select 1.12.4 is vulnerable to attacks. To overcome this, bootstrap-select should be upgraded to a non-vulnerable version. Environment Liferay DXP 7.3  Resolution Liferay does not...
Email are not sent from Liferay when Office365 is used as the server
legacy Troubleshooting
Issue Emails are not sent out from Liferay In the log, we see the following error: liferay[liferay-7] [dxp] ERROR [liferay/mail-6][MailEngine:74] Unable to send message: 535 5.7.139 Authentication unsuccessful, the...
Is there a way to bypass CAPTCHA without having to disable it?
legacy How To
Issue We will do some Automation tests in our QA environment and would like to know if it is possible to bypass CAPTCHA using configuration settings without having to disable it. Environment Liferay DXP 7.4...
"Text verification failed" Captcha error
legacy Troubleshooting
Issue We are trying to use the Reset Password functionality, but every time we enter the captcha text correctly, we always get an error saying: "Text verification failed". We noticed this same behavior on other...
Vulnerability in Apache Tomcat (CVE-2023-46589)
legacy Troubleshooting
Issue This security vulnerability (CVE-2023-46589) has been reported, and it is fixed in Tomcat 9.0.83. However, our current Liferay DXP 7.4 update 67 has a 9.0.71 Tomcat version. Environment Liferay DXP 7.4...
Liferay 6.2 EE 173 and CVE-2024-25145
legacy
Issue We have found the following article CVE-2024-25145 Stored XSS with search results if highlighting is disabled, however it does not specify whether Liferay 6.2 EE 173 is affected or not. Environment Liferay 6.2 EE...
Can SAML be used to send an attribute that can be used to assign site roles?
legacy
Issue Currently, SAML is not designed to be utilized to send an attribute that can be used to assign site roles. Environment Quarterly Releases Resolution This is an ongoing task, LPD-6336, for Liferay. Liferay is...