Search Results

Issue Liferay 7.0 uses a Bootstrap versión that has this vulnerability: CVE-2019-8331 - XSS is possible in the tooltip or popover data-template attribute. Bootstrap issue 20184 - XSS in data-target attribute. Environment Liferay DXP 7.0 Resolution You should be able to get protection...

Issue The following error occurs while configuring Liferay as SP and ADFS as Idp. At Liferay

Issue How can the signed response, which is required by ADFS to complete authentication at the Liferay end, be clarified? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution Requests from ADFS to Liferay must be signed. Run the command below in the...

Issue The "Content security policy" header is not available in the application response. How to add or enable the CSP? Environment Liferay DXP 7.3 Resolution Liferay doesn't directly support the CSP as there are no OOTB configurations or UI settings available for configuring the CSP...

Issue There previously was a Security Advisory regarding a vulnerability for the Spring4Shell and Spring Cloud libraries. These vulnerabilities are detailed in this article here:  Spring4Shell and Spring Cloud Security Advisory There are other libraries that Liferay uses that have Spring...

Issue To address the Spring4Shell vulnerabilities, the patched version of spring-beans.jar should be in its manifest file after the hotfix installation, is spring-webmvc.jar included in this? Environment Liferay DXP 7.2 Resolution Only the spring-beans.jar is patched by the Liferay patch...

Issue We have followed this How-To article: How to add security, authentication to my REST service? (Section 5.1), but guest users are still able to access our endpoint from a browser. If we enable PortalSessionAuthVerifier, users without an active session are able to access the...

Issue Even if SSL (or TLS) is enabled, the login credentials are in plain text while intercepting requests with Burp Suite. Environment Liferay DXP 7.3 Resolution If a user utilizes the burp suite as a proxy, they can see plain text in the password since the burp intercepts all traffic...

Issue When using Google's reCAPTCHA, the CAPTCHA option won't show, instead the message "Invalid domain for site key" is displayed where the CAPTCHA should be. Environment Any Liferay DXP version with reCAPTCHA configured as the CAPTCHA engine. Resolution reCAPTCHA uses a pair of public...

Issue This article highlights the concern with the following path of log4j lower version jars. {liferay_home}/patching-tool/patches/liferay-fix-pack-dxp-16-7210.zip!binaries/MODULES_BASE_PATH/marketplace/Liferay Foundation - Liferay Connector to Elasticsearch 6 -...

Issue After changing the password, site members are not redirected to a page Steps to reproduce: 1) Start the server, login as Admin 2) Create a new page e.g. /testpage and remove the VIEW permission for the Guest user on it 3) Create a new user e.g. user1 and, in the Memberships tab,...

Issue As Liferay DXP does not hide password reminder answers, attackers can capture user's password reminder answers through man-in-the-middle or shoulder surfing attacks. Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution The portal's observed...

Issue We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 Does Liferay provide this functionality? Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution Unfortunately,...

Issue A new user (this also happens to LDAP users) is unable to log-in the first time, but seems to be able to log-in on the second attempt. Steps to reproduce: 1) Create a guest user from Create Account tab at the sign-in page. 2) Click on the sign-in button 3) Type the username and...

Issue Every time a user is logged in, the birthday is automatically updated to the default value {01-01-1970}. We configured the LDAP server in Instance Settings. Environment Liferay DXP 7.2 Liferay DXP 7.3 Resolution The resolution is to add "birthday" to the list of User Ignore...

Issue apio-architect-impl has a dependency of jackson-databind-2.9.6 which has the following known vulnerabilities: CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-1000873 Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2...

Issue Log4j 1.x has reached end-of-life status: https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces Environment Liferay DXP 7.0  Liferay DXP 7.1 Liferay DXP 7.2  Liferay DXP 7.3  Resolution Liferay is aware of Log4j 1.x's end-of-life and has logged it as a...

Issue This article outlines the concerns of CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645 vulnerabilities with respect to the Liferay DXP Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution CVE-2020-9493 or CVE-2022-23307 identified a...

Issue Why does this error gets triggered? What would be the cause? INFO  [http-nio-8080-exec-2573][CustomLoginPortlet:726] url redirect = https://xxxx/group/yyyy ERROR [http-nio-8080-exec-2573][PortletServlet:112] javax.portlet.PortletException: java.lang.IllegalStateException:...

Issue When configuring SAML in a clustered environment and entering the configuration Idp connection an error is shown: java.lang.RuntimeException: java.lang.NullPointerException at com.liferay.portlet.expando.model.impl.ExpandoBridgeImpl.getAttributeType(ExpandoBridgeImpl.java:334) at...