Search Results

All Results 435
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
LFR_SESSION_STATE cookies are not marked as HttpOnly
legacy
Issue LFR_SESSION_STATE cookies are not marked as HttpOnly Environment Liferay DXP, Liferay 6.2 Resolution This is not a security issue because this cookie is created and used in session.js which is the portal's Javascript. ...
How Can I Assign Roles to Users When Importing from LDAP?
legacy Troubleshooting
Issue When importing users to Liferay DXP from LDAP, they are not being assigned the roles I want them to have from my LDAP server. Environment Liferay DXP LDAP Resolution In Liferay DXP, Users are...
Lodash Security Vulnerability in Theme Dependencies
legacy
Issue In the Liferay theme dependencies, Lodash versions 3.10.1 and below are used extensively as dependencies throughout. Versions of Lodash prior to 4.17.5 suffer from a security risk: CVE-2018-3721...
Generating SAML Metadata with HTTPS
legacy How To
Issue This article documents how to generate a SAML metadata XML file that also has HTTPS enabled. Environment Liferay Portal 6.2, DXP 7.0, DXP 7.1 Any web server  Resolution In order to generate a SAML metadata.xml...
Why are user accounts shared when I have multiple LDAP servers configured?
legacy Troubleshooting
Issue When a Liferay DXP bundle is configured to communicate with two or more LDAP servers there can be issues with user importing and users logging in. Example: If Liferay DXP is communicating with two LDAP...
Updated Email Addresses in LDAP are not Imported to Liferay DXP 7.0
legacy How To
Issue This article documents a product limitation and a possible workaround for importing a user whose email address was updated in LDAP into a Liferay DXP instance. Environment Liferay DXP  LDAP server Resolution This...
Using MS ADFS & Liferay SAML Integration
legacy How To
Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these...
Remove the Ability to Add JavaScript in the Control Panel's Site Pages
legacy How To
Issue Disable the ability to add JavaScript to pages on DXP 7.0 and thus prevent malicious code injections. Environment  DXP 7.0 Fix Pack 60+ This functionality was introduced in DXP 7.0 Fix Pack 60 Resolution Install...
Deployment of SAML plugin does not display SAML admin screen
legacy Troubleshooting
Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Event/Use...
The Forget Password page is vulnerable to CSRF attack
legacy
Issue The Forget Password form can be re-submitted with different cookies which lead to the CSRF issue. Environment Liferay DXP 7.2 Resolution This is considered as a False Positive, as the user is not logged into...
Why p_p_auth token is exposed in the URL? Could it be a security risk?
legacy
Issue On Liferay Portal 6.2, p_p_auth token is exposed in the URL. It might be considered as a security risk. Environment Liferay Portal 6.2 Resolution No attacker or other user can use p_p_auth token, only a...
SAML logout when session expires
legacy
Issue The Single sign-on and Single log out are working fine when the user manually logs out but there is no Single logout happening on the portal session expiry Environment Liferay 7.0 as IdP Resolution  Service...
How to configure validation directives in AntiSamy
legacy Troubleshooting
Issue When trying to import content between sites, i.e. knowledge base, a validation error arises: An unexpected error occurred with the publication process. Please check your portal and publishing configuration....
How to review User Permissions on Freemarker and Velocity templates
legacy How To
Issue After applying the fix for LSV-658, how can I see which users have permissions for (which) Freemarker/Velocity templates, i.e. via the user interface or by a database query? The Mitigation Notes of LSV-658...
Page version control information is accessible in sitemap.xml
legacy
Issue Page version control information is accessible in sitemap.xml - such information shall not be exposed for security reasons. Reproduction: 1) Start up bundle 2) Access sitemap...
Changing password forces users to log in again
legacy Troubleshooting
Issue Changing password invalidates current sessions and the users have to log in again. 2020-02-07 13:08:37.558 ERROR [http-nio-8080-exec-2][PortletServlet:112] javax.portlet.PortletException:...
Session Hijacking issue with https connection
legacy
Issue By replacing the sessionId of a logged-in user, the user's session from another browser is replicated. Steps to reproduce Create 2 users like u1, u2 Assign the role for the u1 as "Power user", u2 as "Portal...
Integration of SiteMinder SSO
legacy How To
Issue How to integrate the SiteMinder SSO with Liferay Environment Liferay DXP 7.0 Resolution By default, Token based authentication is disabled in the Liferay. To manage the same, refer to this document Token-based...
Using Active directory, after changing the user password, still user is able to login using the old password
legacy Troubleshooting
Issue Using Active directory, after changing the user password, still, a user is able to login using the old password Environment Liferay portal 6.2  Resolution Under Control Panel -> Portal Settings ->...
404 error when downloading module "com.liferay.saml.opensaml.integration" from Release Notes page
legacy Troubleshooting
Issue Getting a 404 error when downloading module "com.liferay.saml.opensaml.integration" from Release Notes page. Environment Liferay DXP 7.2 Resolution The module for  "com.liferay.saml.opensaml.integration" can be...
The /dtd/ folder of the war with sensitive information is exposed when deploying a portal on Weblogic 12c R2
legacy Troubleshooting
Liferay Support does not recommend or endorse specific third-party products over others. The information provided about products not created by Liferay is for reference purposes only, and any implementation of these...
Module download link can not be opened on Liferay DXP Release Notes page with 404 error
legacy Troubleshooting
Issue  When trying to download modules like "com.liferay.saml.opensaml.integration" from Liferay DXP Release Notes page, the download link can not be opened with a 404 error. Environment Liferay DXP 7.2 Resolution...
Is Liferay Product affected by OpenSSL security issue CVE-2020-1967 ?
legacy
Issue Is Liferay Product affected by OpenSSL security issue CVE-2020-1967 ? Environment Liferay DXP 7.1 Resolution Since Liferay products do not come with OpenSSL built-in, Liferay is not affected by CVE-2020-1967 out of the...
How to resolve users being unable to log out after configuring a Token-Based SSO
legacy Troubleshooting
Issue After configuring and enabling a Token Based SSO in our 7.2 environment (upgraded from 7.0), users are now unable to log out, and they are instead redirected to the home page (still logged in). In our 7.0...
When resetting a password, duplicate error messages appear
legacy Troubleshooting
Issue Duplicate error messages show up when resetting the password Steps to reproduce: 1. Start and set up Liferay DXP 7.3 SP1 using the setup wizard. The email can be set as test@liferay.com and the password as a...
I cannot create new Virtual Instance with error Screen name must not be null
legacy Troubleshooting
Issue When I try to create a new Virtual Instance, the portal displays the error "Your request failed to complete". The portal log shows the following error: ERROR [default...
Importing LDAP settings through osgi/config files does not import password
legacy
Issue LDAP settings can be imported into the Liferay environment using osgi/config files These settings are imported into System Settings, and can then be configured for an individual instance in Instance Settings When...
Content-Security-Policy Header Integration
legacy
Issue How can a CSP (content security policy) HTTP header that enables only specific external resources to be loaded in the frontend be implemented? Environment Liferay DXP 7.2 Resolution CSP is not currently...
HTTP Strict Transport Security (HSTS) Header Not Used
legacy How To
Issue The HSTS header cannot completely defend against man-in-the-middle attacks. However, it can be useful in defending against an attack in which an attacker establishes an encrypted connection to the application and...
Verbose Error Messages
legacy How To
Issue The name of the technologies used, such as Apache Coyote, Tomcat, etc. are visible. Environment Liferay DXP 7.2, DXP 7.3 Resolution  Each application is responsible for allowing its information to be displayed...
Known Vulnerabilities with Liferay AntiSamy
legacy Troubleshooting
The following issue may compromise the security of your Liferay Digital Experience Platform implementation.  Vulnerability Information The Liferay AntiSamy app depends on third party libraries that have known...
Avoid or allow that some applications can be dynamically displayed in a page
legacy How To
Issue The permissions system for an application (portlet) includes a security check when the application is going to be displayed in a page. Normally, the users should not be able to see applications if the...
Session Management in Liferay
legacy
Issue How the sessions are managed in Liferay and what are all the different types to configure the same. Also, whether the Liferay session work for the javascript disabled browsers? Environment Liferay DXP...
No administrative options can be accessed when an F5 load balancer is in front of Liferay forcing a secure protocol
legacy Troubleshooting
Issue When a F5 load balancer is in front of Liferay and is forcing a secure protocol, no administrative options can be selected and accessed. On Liferay the following options are configured on the...
Authenticated users with no permission to access Control Panel can navigate to /control_panel/manage with the message: Please select a tool from the left menu.
legacy
Issue I have an issue with authenticated users who do not have privilege to access the Control Panel. A user with no specific role (Only User role), when navigating to /control_panel/manage gets redirected to a page...
Re-enabling Basic Authentication when Unable to Access the DXP Control Panel
legacy How To
Issue My Basic Authentication was disabled at the Instance Level, and now I am unable to access the DXP Portal because of it. How do I re-enable Basic Authentication without logging in?   Environment Quarterly...
Cross-Site Scripting: Reflected
legacy
Issue A Cross-Site Scripting (XSS) vulnerability was detected in the web application. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not...
Callback URL of OAuth2 application created via client extension resets after server restart
legacy
Issue After restarting the server, the callback URL for OAuth2 applications created via client extensions, gets reset to the default @protocol@://localhost@port-with-colon@/o/oauth2/redirect, instead of the...
Changes to Site Templates are not propagated to pages
legacy Troubleshooting
Issue Changes made to a site template are not propagated to the pages that use the template. We can see the next error in the server log: [LayoutSetPrototypeMergeBackgroundTaskExecutor:219] Merge fail count...
Organization's users exposed in UI when modifying groupID in Request Body
legacy Troubleshooting
Issue An organization's member list can be seen by manipulating the role member assign(groupID) in a request. Here are the steps to reproduce: Setup browser proxy to 127.0.0.1:8180. For example with Chrome, navigate to...
Is Liferay Affected by CVE-2025-29927?
legacy
Issue Is Liferay affected by vulnerability CVE-2025-29927?   Environment Liferay DXP Quarterly Releases   Resolution The vulnerability CVE-2025-29927 is related to Next.js, a technology not used by Liferay as a...
Property "redirect.url.security.mode" has invalid value: domain,domain
legacy Troubleshooting
Issue After setting the property redirect.url.security.mode=domain we are now seeing WARN messages such as Property "redirect.url.security.mode" has invalid value: domain,domain Environment Liferay DXP Resolution Please...
Security scan detected a "Reference to Windows file path is present in HTML"
legacy Troubleshooting
Issue Our security scan detected a "Reference to Windows file path is present in HTML" in the following URL:...
How to add security, authentication to my REST service?
legacy How To
Issue We developed a REST service and it works. But we need endpoint security. At the moment it is available without any credentials. We do not want to give access to a REST Web service without credentials.  How can...
User's group membership not updating with LDAP after upgrading to Liferay Portal 6.0 EE SP2
legacy Troubleshooting
This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. Beginning in Liferay 6.0 EE SP2, the...
LDAP settings and upgrading from 5.2.x to 6.x
legacy Troubleshooting
This article pertains to portals in which LDAP is configured in Liferay Portal 5.2.x and an upgrade is performed. When a user attempts to login, an error is thrown, and the user is not...
'Credential cannot be null' when trying to log in with a customer database
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: 'Credential cannot be null' when trying to log in with a customer database, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber:...
poi-3.16.jar
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: poi-3.16.jar, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 105139, title: ポイ-3.16.jar
How to verify that a Log4j patch has resolved all Log4j vulnerabilities
legacy How To
, knowledgeArticleType: howTo, legacy: true, name: How to verify that a Log4j patch has resolved all Log4j vulnerabilities, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 68123, title:...
SAML Plugin
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: SAML Plugin , showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 61697, title: SAMLプラグイン
Fake SMTP Server for Local Bundle Email Interception
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: Fake SMTP Server for Local Bundle Email Interception, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 63413, title: ローカルバンドルメール傍受用偽SMTPサーバ
Do source map (.map) files for JS source code represent a vulnerability issue?
legacy
, knowledgeArticleType: reference, legacy: true, name: Do source map (.map) files for JS source code represent a vulnerability issue?, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 76754, title:...
Sensitive data such the user password is printed in our logs
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: Sensitive data such the user password is printed in our logs, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 39641, title:...
Security vulnerability in CBOR 4.2.0 (Multi-Factor Authentication)
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: Security vulnerability in CBOR 4.2.0 (Multi-Factor Authentication), showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: , title: CBOR...
Where is the SAML assertion information stored in Liferay?
legacy
, knowledgeArticleType: reference, legacy: true, name: Where is the SAML assertion information stored in Liferay?, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 63806, title:...
How to remove SSLHandshakeException?
legacy Troubleshooting
, knowledgeArticleType: troubleshooting, legacy: true, name: How to remove SSLHandshakeException?, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 40818, title: SSLHandshakeException を削除するには?
Apache Tomcat Security Advisory: CVE-2018-1336
legacy Troubleshooting
General Information CVE-2018-1336 reports that, "an improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service." This...
/html/common/referer_jsp.jsp vulnerability
legacy
, knowledgeArticleType: troubleshooting, legacy: true, name: /html/common/referer_jsp.jsp vulnerability, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 45080, title: /html/common/referer_jsp.jsp...
The potential CSRF for Liferay default logout link (/c/portal/logout)
legacy
, knowledgeArticleType: reference, legacy: true, name: The potential CSRF for Liferay default logout link (<Site address>/c/portal/logout), showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: , title: Liferay...
Product Navigation Menu will not close upon Sign Out
legacy
, knowledgeArticleType: troubleshooting, legacy: true, name: Product Navigation Menu will not close upon Sign Out, showDisclaimerMessage: true, sourceTeam: Support, ticketNumber: 12688, title:...