Search Results

Issue Despite the fix "Relay state exceeds 80 bytes" error and redirections to IDP We found this article and had a hotfix with LPS-76246 We found that the fix is not applied correctly. Environment Liferay DXP 7.3 Resolution The fix is not applied correctly due to the old SAML connector...

Issue When trying to set up the QR Code for MFA settings, following this documentation Multi-Factor Authentication Checkers, we've found that the QR code doesn't populate. It should be populating under "Shared Secret", but our page is blank. Steps for reproduction: Control Panel > System...

Issue For security reasons, we would like to store passwords using environment variables within OSGi .config files. For example, to store the Elasticsearch server's password. Environment 7.3+ Resolution In Liferay versions containing LPS-123057, it is possible to use environment...

Issue When developing client extensions with React for Liferay DXP 2024.Q4 or newer, what is the recommended Node.js version? The official compatibility matrix suggests Node.js version 20.12.2, but this version may have known security vulnerabilities (e.g., CVE-2025-23166,...

Issue We are encountering an issue where users are consistently redirected to the application's homepage immediately following SAML authentication, even when an alternative page was initially requested. Environment 7.4+ Resolution This is a known issue reported in LPD-39115 and was fixed...

Issue Setting up Business-to-Consumer (B2C) single sign-on (SSO) configuration with Liferay using OpenID Connect (OIDC) in Azure AD B2C is not working as expected. After enabling OpenID under Instance Settings in the Control Panel, the system is not working and throws an "internal server...

Issue After performing a security scan, a Vue.js vulnerability reported as CVE-2024-6783 is identified. Environment Liferay DXP 7.4 - Quarterly Releases Resolution Liferay is not impacted by CVE-2024-6783 as Liferay DXP does not use the vue-template-compiler Additional Information...

Issue The application accepts special characters in input fields. Ex: " ' ` * ; % _ = & | \ ? ~ < > ^ () [] {} $ \n\ Steps to Reproduce: 1. Start Liferay server. 2. Navigate to the user’s profile. 3. Click on Account Settings. 4. Edit the First Name field and enter:...

Issue A reflected cross-site scripting (XSS) vulnerability (CVE-2025-4388) in /o/marketplace-app-manager-web/icon.jsp allows a remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web module. Environment 2024.Q1.8 Resolution...

Issue Is Keycloak supported with Liferay? If yes, how can SAML be configured with Liferay? Environment Lifeary DXP [All versions] Resolution As per Liferay’s official compatibility matrix, Keycloak is not listed as a supported Identity Provider (IdP), as it has not been explicitly tested...

Issue After upgrading to 2025.q1.6-lts, I received the following error in the log: Feature flag LPD-10588 is not available for company 0 Environment Liferay Quarterly Release 2025.q1.6-lts Resolution The case has been addressed and resolved by LPD-56013. Kindly request a hotfix. After...

Issue My Basic Authentication was disabled at the Instance Level, and now I am unable to access the DXP Portal because of it. How do I re-enable Basic Authentication without logging in?   Environment Quarterly Release 2025.Q1.6   Resolution There is a way to re-enable Basic...

Issue After restarting the server, the callback URL for OAuth2 applications created via client extensions, gets reset to the default @protocol@://localhost@port-with-colon@/o/oauth2/redirect, instead of the configured URL. Environment Quarterly Releases Resolution Client extensions...

Issue A Cross-Site Scripting (XSS) vulnerability was detected in the web application. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the...

Issue I have an issue with authenticated users who do not have privilege to access the Control Panel. A user with no specific role (Only User role), when navigating to /control_panel/manage gets redirected to a page with the message: Please select a tool from the left menu. Reproduction...

Issue Changes made to a site template are not propagated to the pages that use the template. We can see the next error in the server log: [LayoutSetPrototypeMergeBackgroundTaskExecutor:219] Merge fail count increased to 1 for layout set prototype 11111...

Issue An organization's member list can be seen by manipulating the role member assign(groupID) in a request. Here are the steps to reproduce: Setup browser proxy to 127.0.0.1:8180. For example with Chrome, navigate to Settings > System > Open your computer’s proxy settings Download,...

Issue Is Liferay affected by vulnerability CVE-2025-29927?   Environment Liferay DXP Quarterly Releases   Resolution The vulnerability CVE-2025-29927 is related to Next.js, a technology not used by Liferay as a software. Thus, this vulnerability doesn't affect Liferay itself.,...

Issue After setting the property redirect.url.security.mode=domain we are now seeing WARN messages such as Property "redirect.url.security.mode" has invalid value: domain,domain Environment Liferay DXP Resolution Please check all of your environment's PROPERTIES files to ensure that...

Issue Our security scan detected a "Reference to Windows file path is present in HTML" in the following URL: https://localhost:8080/o/js/resolved-module/frontend-js-node-shims$path-browserify@0.0.0/index.js?languageId=en_US Can you please solve this security issue? Environment DXP 7.2...