Search Results

All Results 435
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
How is AntiSamy configured?
legacy
Issue We configured AntiSamy to santize Web Content articles. We would like to understand how AntiSamy works and what parts are expected to be removed in Web Content articles. Environment DXP 7.0+ Resolution In the...
Can Liferay Support SP and IDP initiated SAML Simultaneously?
legacy
Issue Our team is the design phase for authentication and we want to know if Liferay supports IDP and SP initiated SAML logins at the same time?  Environment DXP 7.4 Resolution No, a single instance should not be both...
Force Authentication in SAML requiring reauthentication in SP
legacy How To
Issue With SAML and Force Authentication enabled, I am required to reauthenticate requests from the SP Environment DXP 7.3, 7.4 Resolution This behavior is intended, but to avoid manual reauthentication in this...
Captcha authentication via Headless API
legacy
Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the...
CVE-2020-28885 and CVE-2020-28884
legacy
Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell...
How to reduce difficulty on captcha for Liferay DXP 7.2
legacy Troubleshooting
Issue The captcha generated in the login is unreadable, even for humans. Environment Liferay DXP 7.2 Resolution Go to System Settings > Security Tools. Find and delete the following properties: ...
Relay state exceeds 80 bytes
legacy Troubleshooting
Issue After configuring SAML, I see Relay state exceeds 80 bytes WARN messages in the logs. How can I prevent the transmission of relay states larger than 80 bytes? Environment DXP 7.X Resolution This issue was...
CVE-2023-33950
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2023-33950 The CVE claims that Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allow regular...
SQL injection Sleepy user agent attack
legacy
Issue Liferay does not restrict a URL that has a 'sleepy user agent' query appended to it like: https://domain/page?1%2b(select*from(select(sleep(x)))a)%2b=1 Environment Liferay DXP 7.4 Resolution Sleepy user agent...
SAML Download Certificate button is broken, with Redirect URL errors seen
legacy Troubleshooting
Issue The Download Certificate button doesn't work in the SAML Admin. When I click on the Download Certificate button, nothing happens. Redirect URL errors are seen in Liferay logs, such as:...
SAML Admin - "Metadata XML is null" error
legacy Troubleshooting
Issue When attempting to create a new Identity Provider under SAML Admin, having entered the required information, when ‘Save’ is clicked the UI displays: "Error: Please enter a valid identity provider entity ID."...
Disabling jQuery in Control Panel
legacy How To
Issue I've found vulnerabilities in our current jQuery version. Since I can't find jQuery used anywhere, I would like to disable it. Environment Liferay DXP 7.2 Resolution Go to Control Panel --> System Settings -->...
Blank screen is seen after password reset
legacy Troubleshooting
Issue A blank screen (with url http://localhost:8080/c) is seen after user password is reset. The expected behavior after password reset is for users to A) be successfully redirected to Liferay home page and B) remain...
InvalidNameIDPolicy errors
legacy Troubleshooting
Issue The following error occurs while configuring Liferay as SP and ADFS as Idp. At Liferay
Signed SAML response
legacy How To
Issue How can the signed response, which is required by ADFS to complete authentication at the Liferay end, be clarified? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution...
Impact of Spring4Shell and Spring Cloud Security Advisory on other libraries related to Spring
legacy
Issue There previously was a Security Advisory regarding a vulnerability for the Spring4Shell and Spring Cloud libraries. These vulnerabilities are detailed in this article here:  Spring4Shell and Spring Cloud Security...
Plain text can still be seen despite SSL
legacy
Issue Even if SSL (or TLS) is enabled, the login credentials are in plain text while intercepting requests with Burp Suite. Environment Liferay DXP 7.3 Resolution If a user utilizes the burp suite as a proxy, they...
Error "Invalid domain for site key" when using reCAPTCHA
legacy Troubleshooting
Issue When using Google's reCAPTCHA, the CAPTCHA option won't show, instead the message "Invalid domain for site key" is displayed where the CAPTCHA should be. Environment Any Liferay DXP version with...
After changing the password, site members are not redirected to a page where they don't have the guest view permission
legacy Troubleshooting
Issue After changing the password, site members are not redirected to a page Steps to reproduce: 1) Start the server, login as Admin 2) Create a new page e.g. /testpage and remove the VIEW permission for the Guest...
Is there a REST API method to revoke the OAuth2 tokens?
legacy How To
Issue We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 Does Liferay provide this functionality?...
"Content security policy" header is not available in the application response
legacy
Issue The "Content security policy" header is not available in the application response. How to add or enable the CSP? Environment Liferay DXP 7.3 Resolution Liferay doesn't directly support the CSP as there are no...
Version of spring-** jars after installing a hotfix
legacy
Issue To address the Spring4Shell vulnerabilities, the patched version of spring-beans.jar should be in its manifest file after the hotfix installation, is spring-webmvc.jar included in this? Environment Liferay...
Guest users are able to access an endpoint if PortalSessionAuthVerifier is enabled
legacy Troubleshooting
Issue We have followed this How-To article: How to add security, authentication to my REST service? (Section 5.1), but guest users are still able to access our endpoint from a browser. If we enable...
log4j-core-2.13.3.jar exists inside the fix pack
legacy Troubleshooting
Issue This article highlights the concern with the following path of log4j lower version jars. {liferay_home}/patching-tool/patches/liferay-fix-pack-dxp-16-7210.zip!binaries/MODULES_BASE_PATH/marketplace/Liferay...
Password reminder answers are not masked
legacy Troubleshooting
Issue As Liferay DXP does not hide password reminder answers, attackers can capture user's password reminder answers through man-in-the-middle or shoulder surfing attacks. Environment Liferay DXP 7.0 Liferay DXP...
New user is not being able to login properly
legacy Troubleshooting
Issue A new user (this also happens to LDAP users) is unable to log-in the first time, but seems to be able to log-in on the second attempt. Steps to reproduce: 1) Create a guest user from Create Account tab at the...
The birthday is reset to {01/01/1970} on LDAP import
legacy Troubleshooting
Issue Every time a user is logged in, the birthday is automatically updated to the default value {01-01-1970}. We configured the LDAP server in Instance Settings. Environment Liferay DXP 7.2 Liferay DXP 7.3...
Known vulnereabilities in jackson-databind-2.9.6
legacy Troubleshooting
Issue apio-architect-impl has a dependency of jackson-databind-2.9.6 which has the following known vulnerabilities: CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719...
Apache Log4j 1.x has reached its end-of-life
legacy
Issue Log4j 1.x has reached end-of-life status: https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces Environment Liferay DXP 7.0  Liferay DXP 7.1 Liferay DXP 7.2  Liferay DXP 7.3 ...
CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645
legacy Troubleshooting
Issue This article outlines the concerns of CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645 vulnerabilities with respect to the Liferay DXP Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP...
javax.portlet.PortletException: java.lang.IllegalStateException: getAttribute: Session already invalidated error
legacy
Issue Why does this error gets triggered? What would be the cause? INFO  [http-nio-8080-exec-2573][CustomLoginPortlet:726] url redirect = https://xxxx/group/yyyy ERROR [http-nio-8080-exec-2573][PortletServlet:112]...
Error when configuring SAML in a clustered environment for the first time
legacy Troubleshooting
Issue When configuring SAML in a clustered environment and entering the configuration Idp connection an error is shown: java.lang.RuntimeException: java.lang.NullPointerException at...
Getting mixed content on the portal
legacy Troubleshooting
Issue After enabling SSL and routing the domain, getting mixed content on the portal that is the pages in the https://www.abc.in referring the http://www.abc.in for the stylesheet, javascript, and henceforth....
Browser console error : The connection used to load resources from https://www.xxx.yyyy used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future
legacy Troubleshooting
Issue Browser console error as "The connection used to load resources from https://www.xxx.yyyy used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future. Once disabled, users will be prevented...
Force Basic and Force Digest Auth option are not honored
legacy Troubleshooting
Issue Steps to reproduce: Configure Digest Authentication: System Settings > API Authentication > Digest Authentication: Force Digest Authentication: True Enabled: True Hosts Allowed: n/a URLs Excludes: n/a URLs...
How to verify the current Implementation version of log4j.jar file
legacy How To
Issue We would like to verify the implementation version of a log4j.jar file, either to verify the application of an update or to assess current vulnerability.  Environment DXP 7.3, DXP 7.4 Resolution You can find the...
Liferay accepts only fully signed SAML responses. Can this requirement be turned off?
legacy
Issue From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps. I can understand that Liferay by default requires the complete signature of...
SSO SP connection doesn't send unauthenticated users to /c/portal/login
legacy How To
Issue Once we setup a SAML SP connection, the SAML adapter doesn't recognize unauthenticated users and redirect them to /c/portal/login Environment DXP 7.4 Resolution This is intended behavior with the “Prompt Enabled”...
User is redirected to the 404 page instead of the login page when the session expires.
legacy How To
Issue The user is not prompted for login but to a 404 page when navigating in pages with restricted access if the user session expires or, if the user is not logged in and tries to access directly the url. ...
What should be done when answers to the security questions are forgotten?
legacy How To
Issue My users keep forgetting their answers to the security questions is there a way to disable this? Also is there an alternative to the forgot password option? Environment DXP 7.4 Resolution Liferay already sends a...
Does having a script in a fragment qualify as a potential XSS vulnerability?
legacy
Issue We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)"> Can that be a vulnerability to...
Does having a script in a button fragment qualify as a potential XSS vulnerability?
legacy
Issue We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie) Can that be a vulnerability to Cross Site...
Does Liferay support more than one SAML connection?
legacy
Issue Can Liferay connect to more than one Service or Identity Provider? Environment  DXP 7.0  DXP 7.1  DXP 7.2  DXP 7.3  DXP 7.4 Resolution Yes, Liferay does support more than one SAML or Identity Provider...
Does having a script in the Analytics section qualify as a potential XSS vulnerability?
legacy
Issue We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page Go to a Site's Configuration -> Site Settings -> Analytics Under the...
How can we set the requireSSL property?
legacy How To
Issue How can we enable the requireSSL attribute in Liferay? Environment Liferay DXP 7.0+ Resolution You can set that in your JDBC properties:...
0Auth2.0 issues new token every time even before token's expiration time
legacy
Issue The access_token expiration default is set to 10 minutes. When invoking the /oauth2/token before the previous token expires, a brand new token is issued instead of the original token.  Environment DXP 7.4...
Unable to process SAML request
legacy Troubleshooting
Issue Some users are unable to login via SAML Steps to reproduce: Login User for the first time The user gets logged-in successfully Now, log out and try logging in again Result: Throws unable to process SAML...
After configuring a CDN, Liferay does not load images and throws error in browser console
legacy Troubleshooting
Issue We have configured a CDN with our Liferay environment. The portal is unable to load Liferay JS/CSS and images and we see errors in the browser console: Access to XMLHttpRequest at 'https...(CDN)' from origin...
Does CVE-2022-1471 affects DXP 7.4?
legacy Troubleshooting
Issue Our scanner reported that the Liferay DXP image as well as the Elasticsearch image are vulnerable to CVE-2022-1471, which is about an issue with SnakeYaml. Could you please confirm if we have to address this...
AuditEvent not saved after migrating from Portal 6.2 to DXP 7.4
legacy Troubleshooting
Issue After migrating to DXP 7.4. If we use the portal normally, there aren't new entries in Audit_AuditEvents table. Environment Liferay DXP 7.4 Resolution Go to System Settings -> Audit -> Persistent...
How to extract the okta authorization token for each user?
legacy Troubleshooting
Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta...
Unable to extend user session on Weblogic
legacy Troubleshooting
Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help...
XSS and Web Content editing
legacy Troubleshooting
Issue Web Content Editing If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could...
Where is the password reset email set up and in what priority order?
legacy
Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us....
I am redirected to the home guest page after login with SAML
legacy Troubleshooting
Issue After logging in with SAML, I am redirected to the Home Page of a non-logged-in user. I am redirected back to the Portal login screen after login with SAML Environment Portal 6.2 DXP 7.0+ Resolution This can be...
Does Liferay DXP validate Session Identifiers?
legacy
Issue Does Liferay DXP validate Session Identifiers? And yes, Liferay does validate Session Identifiers! Environment Liferay DXP Resolution As for the session configuration in the portal we have the...
Does CVE-2016-1000027 affect Liferay?
legacy
Issue Security scan shows CVE-2016-1000027 as an active vulnerability, is Liferay affected? Environment DXP 7.4 Resolution CVE-2016-1000027 is known to us, and we can confirm that Liferay should not be vulnerable, as...
Does CVE-2022-47966 affect Liferay?
legacy
Issue Our security scan has shown CVE-2022-47966 as an active critical vulnerability. Is Liferay affected? Environment DXP 7.2 Resolution The out-of-the-box Liferay product is not affected by this vulnerability. So,...
Insecure HTTP methods
legacy How To
Issue HTTP methods like HEAD, OPTIONS, TRACE may provide information about the application that can be used in attacks like XST, CSRF, steal of sensitive information. How we can disable insecure/unnecessary http...
Tomcat's vulnerability CVE-2023-44487
legacy
Issue Is DXP 7.4 affected by Tomcat's Rapid Reset CVE-2023-44487? Environment Liferay DXP 7.4 Resolution If user is not using Tomcat with DXP, then it is not affected by “Tomcat's Rapid Reset CVE-2023-44487”. If...