Search Results

Issue Characters as <, >, /, (, ), ", ' which can be used to make scripts, used in HTML and JavaScript are valid to use in the portal as inputs and values, and it can raise security questions The use of these characters did not throw any warning or error messages, neither on the UI nor...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Is there a limit to the number of IdPs registered? Environment DXP7.2+...

Issue A search in Control Panel > Security > Audit always sends empty search parameters in the GET URL. As a result, URLs are very long and can be blocked by firewall-infrastructure. Steps to reproduce: Navigate to Control Panel > Security > Audit Search for "test" Result: URL is very...

Issue A security scan has picked up the following vulnerabilities related to jettison-1.x.x jar: CVE-2022-40150 & CVE-2022-40149. This jar is found in marketplace\Liferay Foundation - Liferay Portal Remote - Impl.lpkg\com.liferay.portal.remote.rest.extender-6.0.12.jar\lib directory....

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue What happens if I am editing a thread or message on the BBS widget and...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Can I change the number of digits in the CSRF token parameter "p_auth"?...

Issue When trying to log in with an Active Directory user, sign-in failed with the below error ERROR [http-nio-8080-exec-9][BaseSamlStrutsAction:59] Screen name test@liferay.com for user 34945 must validate with com.liferay.portal.kernel.security.auth.DefaultScreenNameValidator: The...

Issue How can I mitigate vulnerability CVE-2022-41853 regarding Liferay DXP?   Environment Liferay Portal 6.2 EE Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3   Resolution CVE-2022-41853 : This vulnerability has been fully fixed with the following LPS-165641  ...

Issue What procedures does Liferay follow to perform security scanning? Environment Liferay DXP Resolution Liferay uses DAST and SAST tools for scanning. Pen test and manual code reviews are performed as well. The internal procedures are classified as proprietary information since a lot...

Issue When adding the notes:// protocol to a link in Knowledge Base, AntiSamy removes it and displays it as text. Environment Liferay DXP 7.2, 7.3 Resolution By default, everything is sanitized by AntiSamy, with 3 exceptions (JournalArticle, BlogsEntry and FragmentEntry).  Knowledge...

Issue Our company has a few external clients whose users have unique screen names, but all share one email address. This is causing various conflicts such as two users being unable to sign in simultaneously. The error in log looks like this below: WARN [https-jsse-nio-0000-exec-000]...

Issue We Blacklisted the Sign-In Portlet with a third-party authentication application and the admin logins were not synchronized in the process and so now we can no longer access our environment. How can we restore access? Environment DXP 7.1 Resolution The best option, in this case,...

Context When a main Liferay instance and a second virtual instance are both connected to the same LDAP server, local Liferay admin users are unable to log in when the “Required” box is checked. In the case where the LDAP is connected and the “Enabled” box is checked, all LDAP users are...

Issue SAML Identity Provider is unable to initiate Single Log Out Notes 1. Set the different virtual hosts as below as an example 127.0.0.1www.bbb.com (For IDP) 127.0.0.1www.sp.com (For SP) 2. Using thetest testuser in this test. Make sure the user share the same password in IDP and SP...

Issue Records are not removed from `samlspsession` table if the user closes the browser instead of logging out. Steps to reproduce: 1. Setup two instances of Liferay to use SAML - one as IDP and one as SP. log into the SP 2. Verify record is created in the SAMLSPSESSION table (in the SP...

Issue I not see the Resource and Global Sub-tabs under the Scopes tab on Oauth2 clients (in Control Panel/ OAuth2 Administration) Environment 7.3+ Resolution After https://issues.liferay.com/browse/LPS-105158 the scope graphic interface change. There is an explanation on...

Issue Is there a way to make both of Liferay and LDAP policies work together, so that users logging via Liferay authentication will be handled by Liferay's password policies and users authenticating with LDAP will be handled by LDAP's password policies? Environment 7.2 DXP Resolution If...

Issue I would like to integrate my portal with an EU Login mock server instance via OpenID Connect It does not work since the OpenID connect server needs Proof Key for Code Exchange (PKCE) After configuration, when I am being redirected from Liferay to the EU Login server instance, I am...

Issue What is the actual functionality of LDAP Import Enabledunder SAML settings Environment Liferay DXP 7.2, 7.3, 7.4 SAML Resolution Checking LDAP Import Enabled under SAML settings affects 3 functions: 1. The SAML NameID or SAML attributes (depending on the selected “User Resolution”...

Issue Liferay is configured to use LDAP When Liferay Authentication will happen? When LDAP Authentication will happen? Environment Liferay DXP 7.0 -7.4 Resolution LDAP authentication always happens before Liferay Authentication. That is becauseLDAPAuthservice is registered...

Issue How are strangers defined by Liferay? How can I control email notifications to strangers upon signup? Environment DXP 7.3+ Resolution The SAML property defining unknown users as strangers was introduced in DXP 7.3. (1) This property defines if users that do not exist already in the...

Issue When trying to access the site URL, the console displays the following exception, and the site is inaccessible. javax.net.ssl.SSLHandshakeException: Received fatal alert: handshakefailure javax.net.ssl.SSLHandshakeException: Received fatal alert: handshakefailure at...

Issue When using the burp suite tool to intercept traffic, the Liferay Auth token is visible in the Page Source, which could make the environment vulnerable in the user's view. Environment Liferay DXP 7.0+ Resolution This observed behavior is expected and poses no security risk. The...

Issue When configuring an OpenID Provider and trying to log in with an user, the callback to the portal shows an error message similar to the one below: Internal Server Error An error occurred while accessing the requested resource....

Issue Is Liferay creating a cookies site base? If so, where exactly on the Liferay server would all the cookies be physically kept?  Environment Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution The majority of Liferay's cookies are of the "Persistent" type. As...

Issue Users who are not registered with the Liferay application are able to log in even though they have no connections. Environment Liferay DXP 7.0 to 7.4 Resolution Users log into Liferay DXP by using the Sign In widget, which uses the database to authenticate the user based on...

Issue In Liferay, a vulnerable version of Lodash 4.17.14 is being used. Environment Liferay DXP 7.0 Resolution The observed behavior is a known issue LPE-17236 and has already been fixed in the latest fix pack de-102-7010. Please raise a ticket including the latest patching-tool.info if...

Issue Is there any OOTB option to configure SAML for two sites on the same instance? Whether creating a new instance for a site would help to configure SAML? Environment Liferay DXP 7.2 Liferay DXP 7.3 Resolution Is there any OOTB option to configure SAML for two sites on the same...

Issue There is no error messages from api json services. How to manage the serialization and access to  Json services In Liferay Portal 6.2 or DXP7.0 the server response is serialized and shows information related with server errors but now their are empty. Environment Liferay DXP...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue We need to have some domains with custom certificates and others using provided Let's Encrypt certificates. Is it possible setting...

Issue SAML has abruptly stopped working, and no user can log in. The Liferay console contains the following errors: DEBUG [ajp-nio-172.1.129.26-8080-exec-351][BaseSignatureTrustEngine:200] Attempting to establish trust of KeyInfo-derived credential DEBUG...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Does CVE-2022-34305 affect Liferay? Environment Liferay DXP 7.0+ solution...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue When navigating some incorrectly crafted URLs (ex.:...

Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue Error message is not displayed when an error occurs in JSONWS Do not...

Issue When sending emails, the error "unable to send message: 554 X.X.XXX SendAsDenied" occurs. Steps to reproduce: 1. Configure the outlook mail server to send email notifications in Liferay 2. Sometimes, the following errors occurred while sending emails. 2022-06-26 09:55:21.121 ERROR...

Issue The JSESSIONID cookie that comes with Liferay requests in the browser is not secure by default when inspected in the browser. Environment Liferay DXP 7.3 Resolution Set the JSESSIONID in web.xml to secure: <session-config> <cookie-config> <http-only>true</http-only>...

Issue When sending emails, the error "unable to send message: Could not connect to SMTP host: smtp.office365.com, port: 587" occurs. Steps to reproduce: 1. Configure the outlook mail server to send email notifications in Liferay 2. Sometimes, the following errors occurred while sending...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue CrowdStrike’s Falcon Overwatch has discovered a malicious framework that targets Microsoft  Exchange servers but it can also run...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue I would like to change my webserver login credentials. Environment Liferay PaaS Resolution By default, the webserver nginx.conf uses...

Issue You might encounter an issue where after the SSO setup, you start having problems with OAuth 2.0 and the call to /o/oauth2/token is failing with a "401 Unauthorized error". Also if you use Apache you might see the following: "POST /o/oauth2/token HTTP/1.1" 401 381 "-"...