Search Results

Issue After integrating Liferay with the LDAP server for users, the passwords for the users are expiring after some time and are required to be reset again. Is there any way for the passwords to never expire? Environment Liferay DXP 7.4 Resolution While configuring Liferay with LDAP, the...

Issue We want to set up MFA via SMS without using any external Apps. Is this possible with Liferay out-of-the-box? Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution MFA by SMS is not available out-of-the-box in Liferay; it is only a viable option if the user has a...

Issue Medium threat found during the performance testing: [T003] Open redirect in /c/document_library/find_folder with DNS rebinding Environment Liferay Quarterly release Resolution The reported concern has been addressed by this LPD-23987 Additional Information If a hotfix is required,...

Issue After enabling SSO for our Liferay Console, we are no longer able to log in with email and password.  Environment DXP 7.4 Resolution This is expected behavior, as per the Official documentation for SSO: "The first time users authenticate with SSO, their user accounts are...

Issue Encountered a vulnerability issue with the robots.txt file and the vulnerability test suggests preventing the robots.txt file from being accessed. Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution The robots.txt file is not itself a security threat and it might be a false...

Issue GitHub Personal Access Token has been leaked in a public Docker container hosted on Docker Hub. Some of the malicious packages like testbrojct2, proxyfullscraper, proxyalhttp and proxyfullscrapers work for file-matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg. If...

Issue Is HTTP Strict-Transport-Security Header enabled in Liferay? Environment Liferay DXP 7.4 Resolution Liferay enables HTTP security headers such as 'http.header.secure.x.content.type.options', 'http.header.secure.x.xss.protection', 'http.header.secure.x.content.type.options' by...

Issue After scheduling a shutdown event, and trying to cancel it, you see an error: "Error:Text verification failed."   When trying to cancel a shutdown event, I'm prompted to input a CAPTCHA, but there is no text box. Environment Liferay DXP Quarterly Release 2024.Q1.7+ Resolution To...

Issue You have created an OAuth 2.0 application and would like to set up the minimum configuration to be able to test it. This article provides a simple example that could be adapted to your needs. Environment Liferay DXP 7.3, 7.4, Quarterly Releases Oauth 2 Custom App 'Client Secret...

Issue I configured an OpenID Connect Provider Connection. When I try to login using the OpenID  Connect Client Name, I get an internal server error. In logs, a java exception is thrown: WARN [http -nio-8080-exec-2][PortalImp1:6018] The client secret must not be null...

Issue Can the derivatives unsafe-eval and unsafe-inline be exploited? If yes, how it is done? What is the residual risk associated with this? Can Content Security Policy (CSP) be resolved by adding a reverse Proxy? Environment Liferay DXP [all versions] Resolution Unfortunately, the DXP...

Issue Guest users should not be able to see the extend_session message in the browser once the session has expired. Environment Liferay DXP [7.1-7.4, Quarterly Releases] Resolution Post observing the time frequencies in the snapshot, it is seen that every request has around the interval...

Issue Once the user assigns the task to another user, then the previous user loses access to that task and is unable to see that in the 'Assigned to my roles' tab of 'My workflow Tasks'. Steps to reproduce: 1. Create one regular role. 2. Create three users and assign that particular...

Issue Security vulnerability CVE-2013-3587 details a breach attack that is possible with the enable of HTTP compression and Deflate. Steps to see the behvaior: Navigate to any of the pages on the Liferay server. Inspect the browser, open the network tab request, and check the...

Issue Can users give permission to the guest users to use the headless API to create, update, delete, etc. for documents & media, besides just the VIEW permission? Environment Liferay DXP 7.4 Resolution These actions are disabled by default on purpose for guest users: <guest-unsupported>...

Issue How do I add fragments to action pages like /c/portal/update_password and /c/portal/update_reminder_query? Our theme reverts on utility/action pages /c/ When a user is taken to the /c/portal/update_password page, the theme is no longer visible. Environment Liferay DXP Resolution...

Issue An attribute polyfill:true is observed in the source code of the website. Does it have anything to do with the domain 'https://polyfill.io'? Is Liferay affected by the Polyfill.js vulnerability?  Environment All environments [DXP 7.0 - DXP 7.4] Resolution Polyfill is a common...

Issue Admin users are unable to impersonate other users. When attempting to impersonate, a new tab opens, but it remains on the original user. Impersonation attempts fail, the `doAsUserId?` is missing from the URL. Environment Liferay DXP 7.4 + Resolution  Start the bundle and navigate...

Issue After running a scan, we received an alert about a possible vulnerability in Liferay. We want to confirm if we are vulnerable to CVE-2023-50164. Environment All environments. Resolution Liferay is not vulnerable as it does not use the Struts upload feature. Additional Information...

Issue I'd like to inquire about the support for Liferay 7.4 in the Liferay Sync. Currently, the Compatibility Matrix only lists support for Liferay DXP 7.3. Environment Liferay DXP 7.4+ Resolution Liferay Sync got deprecated in 7.3 without direct replacement. The feature is in archived...

Issue Navigating to to the login page /c/portal/login on the SP throws a 500 error when already logged in through SAML. Environment DXP 7.3 DXP 7.4 Resolution This is a known issue affecting DXP 7.4 U80 and lower and some DXP 7.3 versions. Please upgrade to a more recent release or open...

Issue If there is any problem related with the way two-factor is working or do you simply want to deactivate it for some reason. Environment Liferay DXP 7.4 2023 Q1 - 2023 Q4 2024 Q1 Resolution There are two ways to enable or disable the multi-factor authentication: Through the portal,...

Issue The users who were imported from LDAP cannot modify their passwords from My Account. Environment All Liferay DXP environments Resolution Make sure that LDAP Export option is enabled. Ensure that the credentials used to connect from Liferay DXP to LDAP have sufficient permissions to...

Issue Can you backport GDPR-compliant 3rd party cookie handling to 7.3 SP3?  Environment The feature got implemented in DXP 7.4.13-u66. Backporting this feature to 7.3 is not feasible. Resolution There are 3 options available: Upgrading to a version which contains the required feature...

Issue At the moment, we are using LDAP server connection to authenticate our users. Our question is: in which moment the query to authenticate users is executed? More exactly, when the field 'Authentication Search Filter' is applied? We are using as 'Authentication Search Filter' this...

Issue A Web Server before the Liferay environment is configured with Basic Auth. Liferay uses a Client Extension (CX) that makes a request to a Liferay API using OAuth. When the page using the CX is loaded, the Web Server keeps asking for the basic credentials, even after they've been...

Issue Can we use Azure Key Vault with DB setup configuration in Liferay instead of having it in plain text in the properties file? Is there any way to configure the DB in Liferay using Azure Key Vault? How we can use Azure Key Vault to store the DB username and password and read it...

Issue Receiving unwanted email notifications like "Your email account abc@xyz.org.in was signed into from a new location, device, browser, or application" from GoDaddy. Below are the details received:   From: GoDaddy <donotreply@godaddy.com> Sent: Monday, May 27, 2024 11:42 AM To: ABC...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Regarding the vulnerability in Apache tomcat regarding sending...

Issue Some monitoring tools may identify certain URLs that are accessible during routine scans that should not have allowed access. Among the URLs that are typically detected are URLs that can download Liferay's JS (JavaScript) to the equipment being accessed. For example, if you inject...

Issue When trying to access a user's private page, we are transferred to a "404 Page Not Found" error page instead of the Login page that we were expecting.  Environment DXP 7.4 Quarterly Release Resolution Not being able to access a user's private pages is the expected behavior despite...

Issue We would like to understand the formatting of passwords as they're saved in Liferay. What algorithm, salt, and hash format is being used to store passwords?  Environment DXP 7.1 Resolution Example Password: {PBKDF2WABCDMAEFGH1}ABCDoABC/ABCD644e/XY3ZAbcde8hI0jKLOnBcEE7U7TuuV The...

Issue Service Organization Control (SOC) -1 Type 2 report for auditing purposes. Environment Liferay DXP Resolution The SOC-1 report focuses on financial controls and their evaluation and this reporting is not applicable in the Liferay context. Therefore, Liferay does not make this type...

Issue Liferay's OpenID Connect implementation does not account for language variations for ui_locales. For example, Selecting English (United States) on Liferay sets ui_locales to en. Selecting Chinese (either Traditional or Simplified) sets ui_locales to zh. In this example, we would...

Issue A blank intermediary page (showing "Please select your identity provider" title and /portal/c/portal/login?redirect=%2Fportal%2F&refererPlid=[sanitized]&p_l_id=[sanitized] URL) is being seen even with the hotfix installed (with fix LPS-172619) and the...

Issue How do you disable CAPTCHA on pages? Site Administration pages like the Gogo Shell now have a CAPTCHA verification. How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work. Previously, CAPTCHA could be “disabled” by navigating to Control Panel → Configuration →...

Issue Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of...

Issue When importing users by Groups and enabling ‘Creating Roles on Import’, the roles and groups will be created/imported, but the users are not imported. Error reads PermissionChecker not initialized after scheduled LDAP import. I’m connected to my LDAP server, all tests are working,...

Issue A critical remote code Backdoor vulnerability was discovered on the open source XZ utils. This is CVE-2024-3094 with a maximum CVSS3 score of 10.0 Environment Liferay DXP 7.4 Resolution The Docker images, or DXP, are not vulnerable. Our Docker images use Ubuntu Jammy, and in the...

Issue I cannot embed widgets on another site (with a different domain) even though I have the checkbox "Allow users to add <portlet> to any website" enabled. "<Hostname> refused connection" error may be seen.  Environment Liferay DXP 7.3 Resolution Currently, the checkbox "Allow users to...