Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to the default configuration of the site membership process. An attacker can gain unauthorized access to view, add, or edit site content by registering as a user and joining sites with the...

Liferay Portal's unauthenticated users can access loaded files via URL before submitting the object entry

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users guests to access via URL files...

Path Traversal

Liferay is vulnerable to path traversal. The vulnerability is due to improper validation of the comliferayserveradminwebportletServerAdminPortletjarName parameter, which allows remote attackers to add or execute arbitrary files...

PT-2021-18039 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.4 and earlier Liferay DXP versions 7.0 through 7.0 before fix pack 97 Liferay DXP versions 7.1 through 7.1 before fix pack 20 Liferay DXP versions 7.2 through 7.2 before fix pack 10 Description: The JSON web servic...

Cross-Site Scripting (XSS)

com.liferay.journal.taglib is vulnerable to cross-site scripting XSS. Lack of HTML encoding allows a remote attacker to inject arbitrary Javascript into a victim's browser via the title of the journal...