Search Results

All Results 434
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
p_auth token missing from GET request
legacy
Issue After enabling CSRF Tokens, a p_auth token is appended to URLs, as expected. However, we noticed that if we manually remove this from the end of a URL and hit enter, we are still able to access the page,...
After enabling LDAP authentication, administrator users who do not exist in LDAP can log in
legacy
Issue We have enabled LDAP authentication, checking it as required and we have unchecked Ignore User Search Filter for Authentication. With this configuration applied the administrator users can login even if...
Setting sameSite attribute in Cookie for header response on JBoss EAP 7.2
legacy How To
Issue How to add the sameSite attribute as 'Strict' on the cookies JSESSIONID,COOKIE_SUPPORT,GUEST_LANGUAGE_ID on JBoss EAP 7.2 Environment Liferay DXP 7.4 JBoss EAP 7.2 Resolution In JBoss, navigate...
Requests to Liferay with an invalid HOST request HTTP header returns the default site
legacy Troubleshooting
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue Requests to Liferay with an invalid HOST request...
Vulnerability issues related to the EJS version in Fragments Toolkit
legacy Troubleshooting
Issue Vulnerability issues (ejs template injection vulnerability) were reported related to the EJS version inside the yarn.lock file while building fragments using the fragments toolkit. The EJS version is...
Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO
legacy Troubleshooting
Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email...
Can I integrate an additional Captcha Engine?
legacy
Issue Currently, Liferay offers 2 Captcha Engines out of the box: Simple Captcha and Google reCaptcha 2 We would like to use another Captcha service.   Environment Liferay DXP 7.4   Resolution At the moment it is not...
Will a curl vulnerability impact Liferay DXP?
legacy
Issue There have been security announcements that are deemed to be a high-risk vulnerability that is caused by curl 8.4.0.   Environment DXP 7.3 Resolution Liferay DXP does not use the libcurl library. In conclusion,...
Is it Liferay vulnerable to the Log4j Vulnerability CVE-2019-17571?
legacy
Issue After search in the following folder:/tomcat/webapps/ROOT/WEB-INF/lib/log4j-extras.jar is notice that the log4 is available as part of product, so the Liferay is it vulnerable to this lib? Environment All...
Setting up Liferay as both IDP and SP (SAML)
legacy How To
Issue This article outlines how to configure two Liferay DXP bundles for SAML authentication with one functioning as the Service Provider (SP) and the second as the Identity Provider (IdP). Environment DXP...
Updating React dependencies to later version
legacy
Issue As part of the security audit, the old version of the React might be vulnerable to attacks. Is there a way to hide the React version that Liferay displays? Environment Liferay DXP 7.3 Resolution At this...
Vulnerability in CKeditor 4.18.0
legacy Troubleshooting
Issue In Liferay, a vulnerable version of CKEditor 4.18.0 is being used. The vulnerability CVE-2023-28439 is present in the CKEditor versions less than 4.21.0. Environment Liferay DXP 7.0+ Resolution The observed...
Nested Azure AD Groups are not assigned to Liferay groups
legacy Troubleshooting
Issue You want to assign Liferay user groups via dynamic Azure AD groups when logging in with SAML. For this, certain rules of Azure AD groups are in place based on your needs. There might be an issue where nested...
Insecure Cross Document Messaging
legacy Troubleshooting
Issue Cross Document Messaging (also known as Web Messaging) introduced the postMessage() method, with which plaintext messages can be sent cross-origin. It consists of two parameters: “message”, and...
High CPU utilisation while using script to login users continuously
legacy Troubleshooting
Issue Facing high CPU utilization while logging-in high number of users per minute continuously (24x7) using username-password authentication, mostly while fetching data using some scripts. Environment Liferay DXP...
How to implement a token system instead of using credentials to access remote services
legacy How To
Issue Trying to write a custom remote service using Liferay (ServiceImpl file), so which method may be used to authenticate using a token rather than credentials? Environment Liferay DXP 7.4 Resolution Liferay has...
ORA-12899 because OpenID access token is too large
legacy
Issue We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the...
AntiSamy sanitizer cleans some of the HTML tags and styles, how can we solve that?
legacy Troubleshooting
Issue We turned on AntiSamy but it removes certain HTML code and CSS styles from our Web Content articles. Environment DXP 7.0+ Resolution Usage of HTML and CSS in Web Content article HTML fields Web content articles...
How is AntiSamy configured?
legacy
Issue We configured AntiSamy to santize Web Content articles. We would like to understand how AntiSamy works and what parts are expected to be removed in Web Content articles. Environment DXP 7.0+ Resolution In the...
Can Liferay Support SP and IDP initiated SAML Simultaneously?
legacy
Issue Our team is the design phase for authentication and we want to know if Liferay supports IDP and SP initiated SAML logins at the same time?  Environment DXP 7.4 Resolution No, a single instance should not be both...
Force Authentication in SAML requiring reauthentication in SP
legacy How To
Issue With SAML and Force Authentication enabled, I am required to reauthenticate requests from the SP Environment DXP 7.3, 7.4 Resolution This behavior is intended, but to avoid manual reauthentication in this...
Captcha authentication via Headless API
legacy
Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the...
User enumeration attack via response time
legacy Troubleshooting
Issue It is possible to determine if an email address is valid or not (i.e., user enumeration) by comparing the request's response time. This can be done by checking the browser's network tab and comparing...
How do we Toggle Requirement for Strangers to Verify their Email Address
legacy How To
Issue How do we toggle the requirement for strangers to verify their email address  Environment DXP 7.4 Resolution This setting can be toggled by going to: Instance Settings > User Authentication. From here, you can...
Checking for vulnerability to CVE-2022-42889
legacy Troubleshooting
Issue Is our Liferay instance vulnerable to CVE-2022-42889?  Environment DXP 7.4, DXP 7.3, DXP 7.2, DXP 7.1, DXP 7.0  Resolution Look for commons-text in ${liferay.home}/license/versions.html, if you do not find it, you...
Relay state exceeds 80 bytes
legacy Troubleshooting
Issue After configuring SAML, I see Relay state exceeds 80 bytes WARN messages in the logs. How can I prevent the transmission of relay states larger than 80 bytes? Environment DXP 7.X Resolution This issue was...
CVE-2020-28885 and CVE-2020-28884
legacy
Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell...
CVE-2023-33950
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2023-33950 The CVE claims that Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allow regular...
SSO SP connection doesn't send unauthenticated users to /c/portal/login
legacy How To
Issue Once we setup a SAML SP connection, the SAML adapter doesn't recognize unauthenticated users and redirect them to /c/portal/login Environment DXP 7.4 Resolution This is intended behavior with the “Prompt Enabled”...
User is redirected to the 404 page instead of the login page when the session expires.
legacy How To
Issue The user is not prompted for login but to a 404 page when navigating in pages with restricted access if the user session expires or, if the user is not logged in and tries to access directly the url. ...
What should be done when answers to the security questions are forgotten?
legacy How To
Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a...
Does having a script in a button fragment qualify as a potential XSS vulnerability?
legacy
Issue We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie) Can that be a vulnerability to Cross Site...
Does having a script in a fragment qualify as a potential XSS vulnerability?
legacy
Issue We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)"> Can that be a vulnerability to...
After configuring a CDN, Liferay does not load images and throws error in browser console
legacy Troubleshooting
Issue We have configured a CDN with our Liferay environment. The portal is unable to load Liferay JS/CSS and images and we see errors in the browser console: Access to XMLHttpRequest at 'https...(CDN)' from origin...
Liferay accepts only fully signed SAML responses. Can this requirement be turned off?
legacy
Issue From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps. I can understand that Liferay by default requires the complete signature of...
How to extract the okta authorization token for each user?
legacy Troubleshooting
Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta...
Unable to extend user session on Weblogic
legacy Troubleshooting
Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help...
AuditEvent not saved after migrating from Portal 6.2 to DXP 7.4
legacy Troubleshooting
Issue After migrating to DXP 7.4. If we use the portal normally, there aren't new entries in Audit_AuditEvents table. Environment Liferay DXP 7.4 Resolution Go to System Settings -> Audit -> Persistent...
Browser Pop-Up For Non-Https Site
legacy Troubleshooting
Issue We are seeing a browser pop-up warning for our users when they try to login to our http site. They become concerned as it says the connection is not secure, but to 'send anyway'. Can this be disabled by Liferay...
Is Liferay's SAML Service Provider Logout URL required in the Identity Provider?
legacy Troubleshooting
Issue Azure's SAML Identity Provider (IdP) marks the Service Provider's (SP) Logout URL as "optional" However, when I remove Liferay's Logout URL from Azure's SAML configurations, Liferay users are not signed out...