Search Results

Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a password reset link when users click on Forgot Password, provided that...

Issue The access_token expiration default is set to 10 minutes. When invoking the /oauth2/token before the previous token expires, a brand new token is issued instead of the original token.  Environment DXP 7.4 Resolution This behavior is expected. Unfortunately, Liferay cannot be...

Issue We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie) Can that be a vulnerability to Cross Site Scripting (XSS)? Environment Liferay DXP 7.3+ Resolution We allow adding scripts to...

Issue We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)"> Can that be a vulnerability to Cross Site Scripting (XSS)? Environment Liferay DXP 7.3+ Resolution This is the...

Issue Some users are unable to login via SAML Steps to reproduce: Login User for the first time The user gets logged-in successfully Now, log out and try logging in again Result: Throws unable to process SAML request error on UI, and Invalid NameId Policy error in the logs. Environment...

Issue We have configured a CDN with our Liferay environment. The portal is unable to load Liferay JS/CSS and images and we see errors in the browser console: Access to XMLHttpRequest at 'https...(CDN)' from origin 'https...(liferay)' has been blocked by CORS policy. No...

Issue From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps. I can understand that Liferay by default requires the complete signature of the response, but could this be turned off somehow? Environment DXP 7.3+...

Issue Our scanner reported that the Liferay DXP image as well as the Elasticsearch image are vulnerable to CVE-2022-1471, which is about an issue with SnakeYaml. Could you please confirm if we have to address this vulnerability? Environment DXP 7.4 Resolution CVE-2022-1471 was addressed...

Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta authentication through OIDC, users are not able to get the token from...

Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help center ticket requesting a hotfix at your update level., content:...

Issue After migrating to DXP 7.4. If we use the portal normally, there aren't new entries in Audit_AuditEvents table. Environment Liferay DXP 7.4 Resolution Go to System Settings -> Audit -> Persistent Message Audit Message Processor. Enable this configuration and save.  , content:...

Issue When does One Time Password expire? Can you set the validity timeframe of the OTP? Environment DXP 7.2+ Resolution OTP is HTTP session based, if the session expires, OTP expires as well. And it can only be used in the same HTTP session. Since OTP expiration is tied to the HTTP...

Issue There are some security configuration requirement regarding session management. Environment Liferay DXP 7.4 Resolution Application uses the 'referrer' header as a supplemental check only, and not just for any authorization check. Liferay does not rely on the referrer header for any...

Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found This error arises when the RS265 is not listed as the first supported...

Issue We are seeing a browser pop-up warning for our users when they try to login to our http site. They become concerned as it says the connection is not secure, but to 'send anyway'. Can this be disabled by Liferay or bypassed somehow?  Environment DXP 7.0 | DXP 7.1 | DXP 7.2 | DXP 7.3...

Issue Azure's SAML Identity Provider (IdP) marks the Service Provider's (SP) Logout URL as "optional" However, when I remove Liferay's Logout URL from Azure's SAML configurations, Liferay users are not signed out completely from Liferay after signing out through Azure. Is it necessary to...

Issue Web Content Editing If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could assist the creator to perform an XSS attack.  Environment DXP 7.0 ~ DXP 7.4...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue It seems that I can set up the password reset email in multiple places,...

Issue After logging in with SAML, I am redirected to the Home Page of a non-logged-in user. I am redirected back to the Portal login screen after login with SAML Environment Portal 6.2 DXP 7.0+ Resolution This can be caused because auto-login is not allowed, which results in being...

Issue Does Liferay DXP validate Session Identifiers? And yes, Liferay does validate Session Identifiers! Environment Liferay DXP Resolution As for the session configuration in the portal we have the...