Search Results

Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the necessary permissions to access the Headless API endpoints for...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue What is the policy for cleaning and updating content stored on the CDN cache? Environment Liferay PaaS Resolution The CDN avaliable...

Issue Is there a possible way to find out when was the exact date the Liferay user was deactivated and by whom? Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution Please run the attached Groovy script to get a full list of deactivated users: ListDeactivatedUsers.groovy Additional...

Issue The Liferay classes com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider; and com.liferay.portal.security.sso.openid.connect.OpenIdConnectProviderRegistry; were removed in U34+ by LPS-150092. How can I replace them in my customization?  Environment DXP 7.4...

Issue There is a present vulnerability with Google Guava that affects the versions from 1.0 to 31.1. Liferay is currently bundled with Guava. It has been reported that osb-distributed-messaging-google-pubsub-connector declares a dependency on Guava 30.1.1 which has a known vulnerability...

Issue It is possible to determine if an email address is valid or not (i.e., user enumeration) by comparing the request's response time. This can be done by checking the browser's network tab and comparing the response time when valid parameters are passed to when they are not....

Issue How do we toggle the requirement for strangers to verify their email address  Environment DXP 7.4 Resolution This setting can be toggled by going to: Instance Settings > User Authentication. From here, you can toggle the tickbox for "Require Strangers to Verify their Email...

Issue Is our Liferay instance vulnerable to CVE-2022-42889?  Environment DXP 7.4, DXP 7.3, DXP 7.2, DXP 7.1, DXP 7.0  Resolution Look for commons-text in ${liferay.home}/license/versions.html, if you do not find it, you are not vulnerable to this CVE.  If you do find it, contact Liferay...

Issue We would like to determine if we are vulnerable to CVE-2020-7961. Environment DXP 7.3, DXP 7.2,  DXP 7.1, DXP 7.0 Resolution The steps to test for vulnerability to CVE-2020-7961 are as follows:   1. Start your Liferay bundle   2. Open a new terminal window and ran the following...

Issue The captcha generated in the login is unreadable, even for humans. Environment Liferay DXP 7.2 Resolution Go to System Settings > Security Tools. Find and delete the following properties:  nl.captcha.gimpy.FishEyeGimpyRenderer nl.captcha.gimpy.ShearGimpyRenderer    , content:...

Issue After configuring SAML, I see Relay state exceeds 80 bytes WARN messages in the logs. How can I prevent the transmission of relay states larger than 80 bytes? Environment DXP 7.X Resolution This issue was resolved by LPS-76246. Please open a support ticket to request a hotfix...

Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell module and Groovy scripts, respectively, to execute any OS command on...

Issue We would like to determine whether Liferay is vulnerable to CVE-2023-33950 The CVE claims that Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allow regular expressions that are vulnerable to ReDoS attacks to be used as...

Issue Is Liferay vulnerable to any of these vulnerabilities? Environment DXP 6.2+ Resolution No, Liferay is not vulnerable to any of these two. Neither CVE relates to any Liferay features, so they do not affect Liferay portal. Additional Information Please check...

Issue We would like to verify the implementation version of a log4j.jar file, either to verify the application of an update or to assess current vulnerability.  Environment DXP 7.3, DXP 7.4 Resolution You can find the current implementation version of log4j. jar file by:  1. Opening the...

Issue Can Liferay connect to more than one Service or Identity Provider? Environment  DXP 7.0  DXP 7.1  DXP 7.2  DXP 7.3  DXP 7.4 Resolution Yes, Liferay does support more than one SAML or Identity Provider connection. Additional Information...

Issue How can we enable the requireSSL attribute in Liferay? Environment Liferay DXP 7.0+ Resolution You can set that in your JDBC properties: jdbc.default.url=jdbc:mysql://host/db?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false&useSSL=true&requireSSL=true You can also...

Issue We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page Go to a Site's Configuration -> Site Settings -> Analytics Under the Matomo or Piwik fields, paste something like: "><img src=x onerror=alert(origin)>...

Issue Once we setup a SAML SP connection, the SAML adapter doesn't recognize unauthenticated users and redirect them to /c/portal/login Environment DXP 7.4 Resolution This is intended behavior with the “Prompt Enabled” flag unchecked (unchecked by default).  To change this behavior,...

Issue The user is not prompted for login but to a 404 page when navigating in pages with restricted access if the user session expires or, if the user is not logged in and tries to access directly the url.  Environment DXP 7.4 Resolution We disable this feature, that is present in former...