Search Results

Issue Liferay 7.0 uses a Bootstrap versión that has this vulnerability: CVE-2019-8331 - XSS is possible in the tooltip or popover data-template attribute. Bootstrap issue 20184 - XSS in data-target attribute. Environment Liferay DXP 7.0 Resolution You should be able to get protection...

Issue The following error occurs while configuring Liferay as SP and ADFS as Idp. At Liferay

Issue How can the signed response, which is required by ADFS to complete authentication at the Liferay end, be clarified? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution Requests from ADFS to Liferay must be signed. Run the command below in the...

Issue The "Content security policy" header is not available in the application response. How to add or enable the CSP? Environment Liferay DXP 7.3 Resolution Liferay doesn't directly support the CSP as there are no OOTB configurations or UI settings available for configuring the CSP...

Issue There previously was a Security Advisory regarding a vulnerability for the Spring4Shell and Spring Cloud libraries. These vulnerabilities are detailed in this article here:  Spring4Shell and Spring Cloud Security Advisory There are other libraries that Liferay uses that have Spring...

Issue To address the Spring4Shell vulnerabilities, the patched version of spring-beans.jar should be in its manifest file after the hotfix installation, is spring-webmvc.jar included in this? Environment Liferay DXP 7.2 Resolution Only the spring-beans.jar is patched by the Liferay patch...

Issue We have followed this How-To article: How to add security, authentication to my REST service? (Section 5.1), but guest users are still able to access our endpoint from a browser. If we enable PortalSessionAuthVerifier, users without an active session are able to access the...

Issue Even if SSL (or TLS) is enabled, the login credentials are in plain text while intercepting requests with Burp Suite. Environment Liferay DXP 7.3 Resolution If a user utilizes the burp suite as a proxy, they can see plain text in the password since the burp intercepts all traffic...

Issue When using Google's reCAPTCHA, the CAPTCHA option won't show, instead the message "Invalid domain for site key" is displayed where the CAPTCHA should be. Environment Any Liferay DXP version with reCAPTCHA configured as the CAPTCHA engine. Resolution reCAPTCHA uses a pair of public...

Issue This article highlights the concern with the following path of log4j lower version jars. {liferay_home}/patching-tool/patches/liferay-fix-pack-dxp-16-7210.zip!binaries/MODULES_BASE_PATH/marketplace/Liferay Foundation - Liferay Connector to Elasticsearch 6 -...

Issue After changing the password, site members are not redirected to a page Steps to reproduce: 1) Start the server, login as Admin 2) Create a new page e.g. /testpage and remove the VIEW permission for the Guest user on it 3) Create a new user e.g. user1 and, in the Memberships tab,...

Issue As Liferay DXP does not hide password reminder answers, attackers can capture user's password reminder answers through man-in-the-middle or shoulder surfing attacks. Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution The portal's observed...

Issue We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 Does Liferay provide this functionality? Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution Unfortunately,...

Issue A new user (this also happens to LDAP users) is unable to log-in the first time, but seems to be able to log-in on the second attempt. Steps to reproduce: 1) Create a guest user from Create Account tab at the sign-in page. 2) Click on the sign-in button 3) Type the username and...

Issue Every time a user is logged in, the birthday is automatically updated to the default value {01-01-1970}. We configured the LDAP server in Instance Settings. Environment Liferay DXP 7.2 Liferay DXP 7.3 Resolution The resolution is to add "birthday" to the list of User Ignore...

Issue apio-architect-impl has a dependency of jackson-databind-2.9.6 which has the following known vulnerabilities: CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-1000873 Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2...

Issue Log4j 1.x has reached end-of-life status: https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces Environment Liferay DXP 7.0  Liferay DXP 7.1 Liferay DXP 7.2  Liferay DXP 7.3  Resolution Liferay is aware of Log4j 1.x's end-of-life and has logged it as a...

Issue This article outlines the concerns of CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645 vulnerabilities with respect to the Liferay DXP Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution CVE-2020-9493 or CVE-2022-23307 identified a...

Issue Why does this error gets triggered? What would be the cause? INFO  [http-nio-8080-exec-2573][CustomLoginPortlet:726] url redirect = https://xxxx/group/yyyy ERROR [http-nio-8080-exec-2573][PortletServlet:112] javax.portlet.PortletException: java.lang.IllegalStateException:...

Issue When configuring SAML in a clustered environment and entering the configuration Idp connection an error is shown: java.lang.RuntimeException: java.lang.NullPointerException at com.liferay.portlet.expando.model.impl.ExpandoBridgeImpl.getAttributeType(ExpandoBridgeImpl.java:334) at...

Issue Browser console error as "The connection used to load resources from https://www.xxx.yyyy used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future. Once disabled, users will be prevented from loading these resources. The server should enable TLS 1.2 or...

Issue After enabling SSL and routing the domain, getting mixed content on the portal that is the pages in the https://www.abc.in referring the http://www.abc.in for the stylesheet, javascript, and henceforth. Environment Liferay DXP 7.2 Resolution This might be caused when SSL is getting...

Issue Liferay is configured as a SAML Service Provider. When trying to sign in to Liferay it is not possible and the following error is shown in the logs: 2022-01-20 11:50:38.554 ERROR [default task-391][BaseSamlStrutsAction:56] com.liferay.saml.runtime.exception.AudienceException:...

Issue After being redirected by the payment link, the session logs out. Steps to reproduce : 1. Login in Liferay. 2. Call the API in Postman. Request parameters are attached (SSL Commerz Request Parameters.txt) Request Type: x-www-form-urlencoded URL:...

Issue During the time of portal login using the LDAP users, the user('s) are able to log in successfully, LDAP connections have an active connection but observed the below warnings in the Liferay log.  2021-12-17 01:26:37.412 WARN  [tomcat-http--20][DefaultPortalLDAP:178] Unable to bind...

Issue After enabling the SAML, when the user is trying to log in, authentication failed with the following message. ERROR [http-nio-8080-exec-36][BaseSamlStrutsAction:59] org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated Caused by:...

Issue We want to set up MFA for Administrators only. Is this possible with Liferay out-of-the-box? Can we target specific users to sign in using multi-factor authentication? Environment DXP 7.4 DXP 7.3 DXP 7.2   Resolution Liferay's out-of-the-box functionality for MFA is binary in its...

Issue Sometimes we need to modify or restrict the length or URL Liferay generates ( for example for security custom solutions ) but Liferay has no out of the box solution for that. Environment DXP 7.2 Resolution The invoke filter handles the topic. The limit is 4000 chars and it can be...

Issue How to enable CSRF Token in order to prevent CSRF attacks in Liferay? Environment Liferay DXP 7.2 Resolution Liferay's p_auth token protects against CSRF and is enabled by default. Here is the main code that handles the CSRF...

Issue The Guest language ID cookie in Liferay has a one-year expiration, whereas the undefined cookie in the F5 balancer caused the conflict. Is there a way to modify the Cookie's duration in Liferay? Environment Liferay DXP 7.0 Resolution The...

Issue As dtsa cookies are detected, are these cookies URLs cause for concern? Is there any information concerning these cookies in relation to Liferay? Use Case: As Liferay generated dtSa cookies contain the characters '||',  the user wants to whitelist them. Also, if special characters...

Issue The default library timeout until Liferay DXP 7.2 fix pack dxp-3 is 250ms. The default library timeout since Liferay DXP 7.2 fix pack dxp-4 is 500ms.  Use Case: The user would like to be able to set/configure the default timeout value to whatever they want instead of having it...

Issue SAML configuration hasn't been working since the virtual host of the portal instance changed. Caused by: org.opensaml.ws.security.SecurityPolicyException: Request was required to be secured but was not at org.opensaml.ws.security.provider.HTTPRule.evaluateSecured(HTTPRule.java:126)...

Issue After the user changes the password in Microsoft Active Directory (AD), the user can still log into Liferay using the old password. If enabling "Required" option, the issue can be resolved. But users created manually in Liferay (not imported from AD) can not sign into Liferay...

Issue Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created? Environment DXP 7.0, 7.1, 7.2, 7.3 Resolution When "auth.token.check.enabled=true" is set in portal-ext.properties, the auth token (p_auth value) is generated...

Issue Is there a way to automatically remove users from Liferay who are no longer in LDAP? Environment Liferay DXP 7.1 Resolution There's no automated process to do this out of the box. However, a feature request for the same has already been submitted and can be tracked here LPS-69061...

Issue During a penetration test, a Cross Site Scripting Vulnerability may be reported, indicating that you can inject a script into the refererPlid parameter or into the _com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName parameter.   Environment Liferay DXP 7.3   Resolution...

Issue Duplicate error messages show up when resetting the password Steps to reproduce: 1. Start and set up Liferay DXP 7.3 SP1 using the setup wizard. The email can be set as test@liferay.com and the password as a test. 2. Set up an SMTP client to listen to emails. For example: here,...

Issue There is a use case in which a subset of users are meant to bypass SAML SSO and login directly to the Liferay SP. On Liferay 7.2 dxp-8, users successfully used the following URL to achieve this:...

Issue After configuring and enabling a Token Based SSO in our 7.2 environment (upgraded from 7.0), users are now unable to log out, and they are instead redirected to the home page (still logged in). In our 7.0 environment using the same SSO configurations, our users were logged out as...