Search Results

Issue When trying to download a quarterly release from Liferay's Help Center we are getting a browser error that says 'Your connection is not private... Attackers might be trying to steal your information...' Environment Quarterly Release 2024.Q1 Resolution This can often be caused by an...

Issue Unable to login with OpenID from the Sign-In portlet: ERROR [http-nio-8080-exec-2][OpenIdConnectLoginRequestMVCActionCommand:190] Unable to process the OpenID Connect login: java.lang.IllegalStateException: Resource URI must be absolute and with no query or fragment:...

Issue Our security team would like to know whether Liferay DXP 7.1 and DXP 7.3 uses any of the following cipher keys? DES, 3DES, IDEA or RC2 Environment Liferay DXP 7.1 Liferay DXP 7.3 Resolution The algorithms listed above are not being used in Liferay DXP 7.1 and 7.3 by default. You...

Issue How can I mitigate vulnerability with CVE-2023-49070 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the Apache OFBiz, so Liferay is not impacted by this vulnerability. Additional Information CVE-2023-49070, content:...

Issue Could you please provide us with a list of Database Permissions required for Liferay to function? (We are optimizing our application security concerning the Database) Environment Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution Liferay requires reading...

Issue LOGOUT event is not being audited when SAML SLO is enabled. Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution This happens because LogoutPreAction and LogoutPostAction classes do not get the User's userId due to unauthenticated session issue. This is a known...

Issue From time to time, error messages like the following appear in logs: 2024-02-14 13:31:55.099 ERROR [http-nio-8080-exec-120][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response: Requested value "yIH9jiIpdpuACAYf7NdNERUksBJZvNOoi-knjn7BOo0" and approved...

Issue When performing a network scan on a Liferay PaaS environment, ports 80, 443, and others appear to be in open state. Will this allow HTTP requests to be successful? Environment Liferay PaaS Resolution This behavior is expected and does not represent a security threat. Liferay PaaS...

Issue Certain property values need to be hidden in the Control Panel.  Environment DXP 7.4 Resolution To obfuscate the value of a portal property and have it appear as a string of asterisks (****) in the Control Panel, you have to include the name of that portal property in the...

Issue The version of bootstrap-select 1.12.4 is vulnerable to attacks. To overcome this, bootstrap-select should be upgraded to a non-vulnerable version. Environment Liferay DXP 7.3  Resolution Liferay does not utilize the 'bootstrap-select' library anywhere. This library does not come...

Issue Emails are not sent out from Liferay In the log, we see the following error: liferay[liferay-7] [dxp] ERROR [liferay/mail-6][MailEngine:74] Unable to send message: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully....

Issue We will do some Automation tests in our QA environment and would like to know if it is possible to bypass CAPTCHA using configuration settings without having to disable it. Environment Liferay DXP 7.4 Resolution A way out of the box to not require CAPTCHA for authenticated users...

Issue We are trying to use the Reset Password functionality, but every time we enter the captcha text correctly, we always get an error saying: "Text verification failed". We noticed this same behavior on other pages where captcha is present, e.g. on Forms. Environment DXP 7.4 2023.Q3...

Issue This security vulnerability (CVE-2023-46589) has been reported, and it is fixed in Tomcat 9.0.83. However, our current Liferay DXP 7.4 update 67 has a 9.0.71 Tomcat version. Environment Liferay DXP 7.4 Resolution To mitigate this vulnerability, update Liferay DXP 7.4 to Liferay DXP...

Issue We have found the following article CVE-2024-25145 Stored XSS with search results if highlighting is disabled, however it does not specify whether Liferay 6.2 EE 173 is affected or not. Environment Liferay 6.2 EE 173 Resolution Liferay 6.2 EE 173 is not affected by CVE-2024-25145....

Issue Currently, SAML is not designed to be utilized to send an attribute that can be used to assign site roles. Environment Quarterly Releases Resolution This is an ongoing task, LPD-6336, for Liferay. Liferay is planning on implementing a form of this in the future but this will be...

Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found Environment DXP 7.3 DXP 7.4 Using Apereo CAS as OpenID Provider Resolution...

Issue When the user tries to access the URL: 'http://localhost:8080/c/', even if the 'c' page doesn't exist, it redirects to the login page instead of a 404 page not found. Environment Liferay DXP [all versions] Resolution In the URL, the prefix "c" designates a unique portal access...

Issue We would like to know whether there are any strings to search for in log files, to check if any of the following vulnerabilities have been exploited in our environment? LSV-1237 / CVE-2023-42628 LSV-1236 / CVE-2023-42627 LSV-1194 / CVE-2023-44310 Environment Liferay DXP 7.4...

Issue Users are facing intermittent login issues in the SAML environment; however, the below error is observed frequently in their log files: DEBUG [default task-73687][BaseSamlStrutsAction:61] null com.liferay.saml.persistence.exception.DuplicateSamlIdpSsoSessionException: Duplicate...