Search Results

Issue This security vulnerability (CVE-2023-28708) has been reported, and it is fixed in Tomcat 9.0.72. However, our current Liferay DXP 7.3 SP1 has a 9.0.40 Tomcat version. Environment Liferay DXP 7.3 Resolution To mitigate this vulnerability, update Liferay DXP 7.3 to Liferay 7.3...

Issue I would like to increase our protection from man in the middle attacks by obfuscating our site's HTML. Is there a method for this already implemented in Liferay? Environment DXP 7.0+ Resolution There is no obfuscation performed, and implementing it is not under consideration....

Issue When the user tries to access the URL: 'http://localhost:8080/language', even if the language page doesn't exist, it shows a 403 Forbidden error on UI instead of a 404 page not found. Logs error: ERROR [WebContainer : 19][LanguageServlet:64] Invalid authentication token received...

Issue When configuring reCAPTCHA v3 and testing it on the "Forgot Password" page, the following error message is reported: "ERROR for site owner: Invalid site key". Environment Liferay DXP 7.2+ Resolution Liferay does not currently support reCAPTCHA v3. To solve the issue, configure...

Issue You might encounter an error when using OpenID Connect, and users who are not yet been registered to Liferay are unable to login as they are identified as strangers. The error appears as the company.security.strangers is set to false You can also check this on the UI, by navigating...

Issue To enable X-Xss-Protection, add the below property in system-ext.properties http.header.secure.x.xss.protection=1; mode=block and restarted the server. But it is not working in the Liferay. Environment Liferay DXP 7.4 Resolution The HTTP header X-XSS-Protection set to 1 by default...

Issue How to enable the cookie preference handling as well as the configuration options for both the banner and the consent panel. Environment Liferay DXP 7.4 Resolution This feature was introduced in the Liferay DXP 7.4 update 66. To enable this option, follow the below steps: Navigate...

Issue We have integrated SAML with our Liferay configuration. We have noticed that after a User logs out, their session remains active in Liferay. Environment Liferay DXP 7.3 Resolution This issue may occur if the 'SameSite' attribute in the browser cookie is set to 'Strict'. To resolve...

Issue After enabling CSRF Tokens, a p_auth token is appended to URLs, as expected. However, we noticed that if we manually remove this from the end of a URL and hit enter, we are still able to access the page, even though p_auth is now missing from the request. Does this mean CSRF...

Issue We have enabled LDAP authentication, checking it as required and we have unchecked Ignore User Search Filter for Authentication. With this configuration applied the administrator users can login even if they do not exist in LDAP. Environment DXP 7.4 Resolution This is the expected...

Issue How to add the sameSite attribute as 'Strict' on the cookies JSESSIONID,COOKIE_SUPPORT,GUEST_LANGUAGE_ID on JBoss EAP 7.2 Environment Liferay DXP 7.4 JBoss EAP 7.2 Resolution In JBoss, navigate to jboss/standalone/configuration/standalone.xml. Edit standalone.xml and...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue Requests to Liferay with an invalid HOST request HTTP header that does not match a configured Site URL returns the default site...

Issue When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value. Environment Liferay DXP 7.4 Resolution According to the specification, if the request is valid for cors and it has a "Origin" header,...

Issue Vul ID: V-222936 STIG is flagged when Java Security Managers are not enabled. It states that "The Java Security Manager must be enabled." Environment  DXP 7.1 Resolution Liferay DXP does not currently support enabling a security manager, and there are currently no alternative...

Issue Vulnerability issues (ejs template injection vulnerability) were reported related to the EJS version inside the yarn.lock file while building fragments using the fragments toolkit. The EJS version is below 3.1.9 in many places in this yarn.lock file. Environment Liferay DXP 7.4...

Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email address test@liferay.com is already in use Updating the email address...

Issue Currently, Liferay offers 2 Captcha Engines out of the box: Simple Captcha and Google reCaptcha 2 We would like to use another Captcha service.   Environment Liferay DXP 7.4   Resolution At the moment it is not possible to integrate another Captcha Engine out of the box. There is...

Issue We were notified of a possible malware infection. The location is my extracted source code of a Liferay DXP bundle. The file in question is eicar.jpg Environment Liferay DXP 7.4 Resolution EICAR files can be used to verify antivirus integration, and to see if the AV correctly picks...

Issue How can I mitigate vulnerability with CVE-2023-4863 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the libwebp library, so are not vulnerable to CVE-2023-4863.  Additional Information CVE-2023-4863, content:...

Issue I would like to know if Liferay is vulnerable to CVE-2023-33946? Environment Liferay DXP 7.4 U1-U48 Resolution Yes, the Liferay is vulnerable to this CVE, the resolution is update to Liferay 7.4 U49 (or higher) Or create a hotfix with the following LSV-1154 Additional Information...