Search Results

Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a password reset link when users click on Forgot Password, provided that...

Issue The access_token expiration default is set to 10 minutes. When invoking the /oauth2/token before the previous token expires, a brand new token is issued instead of the original token.  Environment DXP 7.4 Resolution This behavior is expected. Unfortunately, Liferay cannot be...

Issue We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie) Can that be a vulnerability to Cross Site Scripting (XSS)? Environment Liferay DXP 7.3+ Resolution We allow adding scripts to...

Issue We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)"> Can that be a vulnerability to Cross Site Scripting (XSS)? Environment Liferay DXP 7.3+ Resolution This is the...

Issue Some users are unable to login via SAML Steps to reproduce: Login User for the first time The user gets logged-in successfully Now, log out and try logging in again Result: Throws unable to process SAML request error on UI, and Invalid NameId Policy error in the logs. Environment...

Issue We have configured a CDN with our Liferay environment. The portal is unable to load Liferay JS/CSS and images and we see errors in the browser console: Access to XMLHttpRequest at 'https...(CDN)' from origin 'https...(liferay)' has been blocked by CORS policy. No...

Issue From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps. I can understand that Liferay by default requires the complete signature of the response, but could this be turned off somehow? Environment DXP 7.3+...

Issue Our scanner reported that the Liferay DXP image as well as the Elasticsearch image are vulnerable to CVE-2022-1471, which is about an issue with SnakeYaml. Could you please confirm if we have to address this vulnerability? Environment DXP 7.4 Resolution CVE-2022-1471 was addressed...

Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta authentication through OIDC, users are not able to get the token from...

Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help center ticket requesting a hotfix at your update level., content:...

Issue After migrating to DXP 7.4. If we use the portal normally, there aren't new entries in Audit_AuditEvents table. Environment Liferay DXP 7.4 Resolution Go to System Settings -> Audit -> Persistent Message Audit Message Processor. Enable this configuration and save.  , content:...

Issue When does One Time Password expire? Can you set the validity timeframe of the OTP? Environment DXP 7.2+ Resolution OTP is HTTP session based, if the session expires, OTP expires as well. And it can only be used in the same HTTP session. Since OTP expiration is tied to the HTTP...

Issue There are some security configuration requirement regarding session management. Environment Liferay DXP 7.4 Resolution Application uses the 'referrer' header as a supplemental check only, and not just for any authorization check. Liferay does not rely on the referrer header for any...

Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found This error arises when the RS265 is not listed as the first supported...

Issue We are seeing a browser pop-up warning for our users when they try to login to our http site. They become concerned as it says the connection is not secure, but to 'send anyway'. Can this be disabled by Liferay or bypassed somehow?  Environment DXP 7.0 | DXP 7.1 | DXP 7.2 | DXP 7.3...

Issue Azure's SAML Identity Provider (IdP) marks the Service Provider's (SP) Logout URL as "optional" However, when I remove Liferay's Logout URL from Azure's SAML configurations, Liferay users are not signed out completely from Liferay after signing out through Azure. Is it necessary to...

Issue Web Content Editing If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could assist the creator to perform an XSS attack.  Environment DXP 7.0 ~ DXP 7.4...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue It seems that I can set up the password reset email in multiple places,...

Issue After logging in with SAML, I am redirected to the Home Page of a non-logged-in user. I am redirected back to the Portal login screen after login with SAML Environment Portal 6.2 DXP 7.0+ Resolution This can be caused because auto-login is not allowed, which results in being...

Issue Does Liferay DXP validate Session Identifiers? And yes, Liferay does validate Session Identifiers! Environment Liferay DXP Resolution As for the session configuration in the portal we have the...

Issue Security scan shows CVE-2016-1000027 as an active vulnerability, is Liferay affected? Environment DXP 7.4 Resolution CVE-2016-1000027 is known to us, and we can confirm that Liferay should not be vulnerable, as Liferay does not use the following components:...

Issue Our security scan has shown CVE-2022-47966 as an active critical vulnerability. Is Liferay affected? Environment DXP 7.2 Resolution The out-of-the-box Liferay product is not affected by this vulnerability. So, unless you use this library in a custom implementation, your system can...

Issue HTTP methods like HEAD, OPTIONS, TRACE may provide information about the application that can be used in attacks like XST, CSRF, steal of sensitive information. How we can disable insecure/unnecessary http methods? How to enable the SECURE attribute to disallow the cookie to be...

Issue Liferay does not restrict a URL that has a 'sleepy user agent' query appended to it like: https://domain/page?1%2b(select*from(select(sleep(x)))a)%2b=1 Environment Liferay DXP 7.4 Resolution Sleepy user agent payload gets a page in sleep mode(inactive) for x seconds of time, which...

Issue The Download Certificate button doesn't work in the SAML Admin. When I click on the Download Certificate button, nothing happens. Redirect URL errors are seen in Liferay logs, such as: [http-nio-8080-exec-10][PortalImpl:991] Redirect URL...

Issue When attempting to create a new Identity Provider under SAML Admin, having entered the required information, when ‘Save’ is clicked the UI displays: "Error: Please enter a valid identity provider entity ID." The logs show: INFO  [http-nio-8084-exec-19][SamlAdminPortlet:77] Metadata...

Issue I've found vulnerabilities in our current jQuery version. Since I can't find jQuery used anywhere, I would like to disable it. Environment Liferay DXP 7.2 Resolution Go to Control Panel --> System Settings --> Third Party --> jQuery Tick off the Enable jQuery checkbox Save,...

Issue A blank screen (with url http://localhost:8080/c) is seen after user password is reset. The expected behavior after password reset is for users to A) be successfully redirected to Liferay home page and B) remain logged in. However, in DXP 7.4 u50 (and below)...

Issue When not logged in, and user attempts to navigate to private page's URL, instead of being prompted to log in, a 'Not Found' page is seen instead. Environment DXP 7.4 Resolution In DXP 7.3, when users are not logged in and they navigate to a private page's URL, they are prompted to...

Issue The guest user observed the message "Redirecting to your identity provider" showed up before the OKTA user login screen showed up. The behavior just happened after upgrading the environment to 7.4 Update 56. We don't want the front-end users to see this message.  Environment...

Issue How can I mitigate vulnerability CVE-2022-38749, CVE-2022-38750, CVE-2022-38751 and CVE-2022-38752 regarding Liferay DXP? Environment Liferay Portal 6.2 EE Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 (until the U47) Resolution Upgrade to Liferay...

Issue The custom site panel category entries' panel app permissions do not work as intended. We are unable to grant permissions to access the panel app through a "Site role" if the category key does not start with "site_administration." It will only work if we grant the permission with a...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Does the Apache Tomcat vulnerabilityCVE-2022-45143affect Liferay?...

Issue Unable to connect to Open LDAP in DXP due to the following UI error Environment Liferay DXP 7.4 Resolution These errors typically occur when Liferay is unable to communicate with LDAP or when mapping mistakes are made. As a result, please ping both servers to ensure that they can...

Issue A security scan has picked up the following vulnerabilities related to struts-core:  CVE-2012-1007, CVE-2014-0112 CVE-2014-0112: ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to...

Issue I would like to check who and what deleted pages or data from the Liferay system. Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution There are two ways of checking who and what deleted data: 1. From the UI by utilizing the Audit option, by going to the main menu on the upper...

Issue For security reasons we need to update the moment.js library from version 2.24.0 to version 2.29.4 How do I update the moment.js library in Liferay DXP? Security vulnerabilities in moment.js 2.24.0: CVE-2022-31129, CVE-2022-24785 Environment Liferay DXP 7.1+ Resolution The...

Issue How can I adjust the JSESSIONID cookie's SameSite attribute from None to Strict? Environment Liferay DXP 7.1 - 7.4 Resolution The JSessionID cookie's attributes are set by your application server or web server. When using a Liferay environment with a bundled Tomcat application...

Issue We are seeing many abnormal errors in our Liferay catalina logs all of sudden. We have tried restarting, but the errors continue. What could these mean? ERROR [ajp-nio-0.0.0.0-8009-exec-19][MVCPortlet:557] ${@print(md5(31337))}\ is not a valid include ERROR...

Issue The password encryption algorithm of existing users is not being updated after doing a password reset. Environment DXP 7.4 Resolution To resolve this behavior, open a help center ticket to request a hotfix containing LPS-165014, or update your installation to DXP 7.4 update 54 and...