Search Results

Issue After integrating Liferay with the LDAP server for users, the passwords for the users are expiring after some time and are required to be reset again. Is there any way for the passwords to never expire? Environment Liferay DXP 7.4 Resolution While configuring Liferay with LDAP, the...

Issue We want to set up MFA via SMS without using any external Apps. Is this possible with Liferay out-of-the-box? Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution MFA by SMS is not available out-of-the-box in Liferay; it is only a viable option if the user has a...

Issue Medium threat found during the performance testing: [T003] Open redirect in /c/document_library/find_folder with DNS rebinding Environment Liferay Quarterly release Resolution The reported concern has been addressed by this LPD-23987 Additional Information If a hotfix is required,...

Issue After enabling SSO for our Liferay Console, we are no longer able to log in with email and password.  Environment DXP 7.4 Resolution This is expected behavior, as per the Official documentation for SSO: "The first time users authenticate with SSO, their user accounts are...

Issue Encountered a vulnerability issue with the robots.txt file and the vulnerability test suggests preventing the robots.txt file from being accessed. Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution The robots.txt file is not itself a security threat and it might be a false...

Issue GitHub Personal Access Token has been leaked in a public Docker container hosted on Docker Hub. Some of the malicious packages like testbrojct2, proxyfullscraper, proxyalhttp and proxyfullscrapers work for file-matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg. If...

Issue Is HTTP Strict-Transport-Security Header enabled in Liferay? Environment Liferay DXP 7.4 Resolution Liferay enables HTTP security headers such as 'http.header.secure.x.content.type.options', 'http.header.secure.x.xss.protection', 'http.header.secure.x.content.type.options' by...

Issue After scheduling a shutdown event, and trying to cancel it, you see an error: "Error:Text verification failed."   When trying to cancel a shutdown event, I'm prompted to input a CAPTCHA, but there is no text box. Environment Liferay DXP Quarterly Release 2024.Q1.7+ Resolution To...

Issue You have created an OAuth 2.0 application and would like to set up the minimum configuration to be able to test it. This article provides a simple example that could be adapted to your needs. Environment Liferay DXP 7.3, 7.4, Quarterly Releases Oauth 2 Custom App 'Client Secret...

Issue I configured an OpenID Connect Provider Connection. When I try to login using the OpenID  Connect Client Name, I get an internal server error. In logs, a java exception is thrown: WARN [http -nio-8080-exec-2][PortalImp1:6018] The client secret must not be null...

Issue Can the derivatives unsafe-eval and unsafe-inline be exploited? If yes, how it is done? What is the residual risk associated with this? Can Content Security Policy (CSP) be resolved by adding a reverse Proxy? Environment Liferay DXP [all versions] Resolution Unfortunately, the DXP...

Issue Guest users should not be able to see the extend_session message in the browser once the session has expired. Environment Liferay DXP [7.1-7.4, Quarterly Releases] Resolution Post observing the time frequencies in the snapshot, it is seen that every request has around the interval...

Issue Once the user assigns the task to another user, then the previous user loses access to that task and is unable to see that in the 'Assigned to my roles' tab of 'My workflow Tasks'. Steps to reproduce: 1. Create one regular role. 2. Create three users and assign that particular...

Issue Security vulnerability CVE-2013-3587 details a breach attack that is possible with the enable of HTTP compression and Deflate. Steps to see the behvaior: Navigate to any of the pages on the Liferay server. Inspect the browser, open the network tab request, and check the...

Issue Can users give permission to the guest users to use the headless API to create, update, delete, etc. for documents & media, besides just the VIEW permission? Environment Liferay DXP 7.4 Resolution These actions are disabled by default on purpose for guest users: <guest-unsupported>...

Issue How do I add fragments to action pages like /c/portal/update_password and /c/portal/update_reminder_query? Our theme reverts on utility/action pages /c/ When a user is taken to the /c/portal/update_password page, the theme is no longer visible. Environment Liferay DXP Resolution...

Issue An attribute polyfill:true is observed in the source code of the website. Does it have anything to do with the domain 'https://polyfill.io'? Is Liferay affected by the Polyfill.js vulnerability?  Environment All environments [DXP 7.0 - DXP 7.4] Resolution Polyfill is a common...

Issue Admin users are unable to impersonate other users. When attempting to impersonate, a new tab opens, but it remains on the original user. Impersonation attempts fail, the `doAsUserId?` is missing from the URL. Environment Liferay DXP 7.4 + Resolution  Start the bundle and navigate...

Issue After running a scan, we received an alert about a possible vulnerability in Liferay. We want to confirm if we are vulnerable to CVE-2023-50164. Environment All environments. Resolution Liferay is not vulnerable as it does not use the Struts upload feature. Additional Information...

Issue I'd like to inquire about the support for Liferay 7.4 in the Liferay Sync. Currently, the Compatibility Matrix only lists support for Liferay DXP 7.3. Environment Liferay DXP 7.4+ Resolution Liferay Sync got deprecated in 7.3 without direct replacement. The feature is in archived...