Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

LSV-391: Security Advisory for Vulnerability With Pingback in Blogs

Written By

Tibor Lipusz

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

This advisory comes in response to the recent public announcement of a potential Server-Side Request Forgery (SSRF) vulnerability in Liferay Portal 7.0.4. The report talks about a perceived vulnerability for the pingback functionality in the blogs feature of the product.

You can find a detailed description of blog pingbacks on Wikipedia.

The purpose of this article is to provide more details about the potential impact area and the related risks.

Affected Products

  • Liferay Digital Experience Platform 7.0
  • Liferay Portal 6.1 and 6.2 EE

Vulnerability Information

The perceived vulnerability only applies to the blogs pingback functionality, which is also part of the Enterprise versions. It does not indicate an XML-RPC vulnerability in any other area of the products. The mentioned Liferay products have an explicit registry of allowed XML-RPC methods that can be executed through the /xmlrpc/* end point. The vulnerability identifies the fact that a URL may be attached to a comment that is added when a pingback request is executed. Out-of-the-box (OOTB), the only possible command to be executed through this channel is the blogs pingback capability. There is no way for users to perform arbitrary remote code executions.

Resolution

Please visit LSV 391: Security Vulnerability for more information.

Workaround

It is important to note that blog pingbacks explicitly allows for anonymous users to add comments to blogs. If you do not desire this capability for your blog, there is a setting in portal.properties that explicitly disables pingbacks. Specifically, set the value of blogs.pingbacks.enabled=false in your portal-ext.properties.

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?