Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the Reporting page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.

Liferay Portal 7.0 CE GA3 (7.0.2)

Title Create Date
CST-7031 Velocity/FreeMarker templates do not properly restrict variable usage 8/7/17
CST-7027 ThreadLocal may leak variables 6/26/17
CST-7026 Password exposure in Server Administration 6/26/17
CST-7025 Password exposure during a data migration 6/26/17
CST-7024 Multiple permission vulnerabilities in 7.0 CE GA3 6/26/17
CST-7023 Password policy circumvention via forgot password 6/26/17
CST-7022 Open redirect vulnerability in Search 6/26/17
CST-7021 DoS vulnerabilities in Apache Commons FileUpload 6/26/17
CST-7020 XXE vulnerability in Apache Tika 6/26/17
CST-7019 DoS vulnerability via SessionClicks 6/26/17
CST-7018 RCE via TunnelServlet 2/23/17
CST-7017 Multiple XSS vulnerabilities in 7.0 CE GA3 6/23/17

Liferay Portal 7.0 CE GA4 (7.0.3)

Title Create Date
CST-7036 Reminder query answer exposed in shared environments 11/6/17
CST-7035 Login information exposed in URL 11/6/17
CST-7034 Multiple permission vulnerabilities in 7.0 CE GA4 11/6/17
CST-7033 Multiple XSS vulnerabilities in 7.0 CE GA4 11/6/17
CST-7032 Paths to OSGi bundles exposed 8/7/17
CST-7030 Multiple XSS vulnerabilities in 7.0 CE GA4 8/7/17
CST-7029 Denial of service vulnerability via the editing of a wiki page 8/7/17
CST-7028 Denial of service vulnerability via crafted URL 8/7/17

Liferay Portal 7.0 CE GA5 (7.0.4)

Title Create Date
CST-7045 SMTP header injection vulnerability via Commons Email 4/3/18
CST-7044 Content spoofing via URL manipulation 4/3/18
CST-7043 Local file disclosure via crafted URL 4/3/18
CST-7042 Open redirect vulnerability in Asset Publisher 4/3/18
CST-7041 Unauthorized access to system portlets/applications 4/3/18
CST-7040 Denial of service vulnerability when using Xuggler 4/3/18
CST-7039 Password exposure in System Settings 4/3/18
CST-7038 Multiple permission vulnerabilities in 7.0 CE GA5 4/3/18
CST-7037 Multiple XSS vulnerabilities in 7.0 CE GA5 4/3/18

Liferay Portal 7.0 CE GA6 (7.0.5)

Title Create Date
CST-7052 Multiple CSRF vulnerability in 7.0 CE GA6 5/29/18
CST-7051 Remote code execution via Web Proxy application 5/29/18
CST-7050 BREACH attack vulnerability 5/29/18
CST-7049 doAsUserId leaked to third party sites 5/29/18
CST-7048 User information exposure in asset tag API 5/29/18
CST-7047 Multiple permission vulnerabilities in 7.0 CE GA6 5/29/18
CST-7046 Reflected XSS in JSONSWS API page 5/29/18

Liferay Portal 7.0 CE GA7 (7.0.6)

Title Create Date
CST-7059 Theoretical OS commaind injection in SendmailHook 7/4/18
CST-7058 CSV injection in Forms, DDL and user export 7/4/18
CST-7057 CSRF vulnerability with comments 7/4/18
CST-7056 Form REST data provider password disclosure 7/4/18
CST-7055 Open redirect prevention circumvention 7/4/18
CST-7054 Blog titles leaked to users without view permission 7/4/18
CST-7053 Multiple XSS vulnerabilities in 7.0 CE GA7 7/4/18

Liferay Portal 7.1 CE GA1 (7.1.0)

Title Create Date
CST-7109 XXE vulnerability in XSL Content & Web Content 11/12/18
CST-7108 User can change password without entering current password 11/12/18
CST-7107 HTML injection in notification emails 11/12/18
CST-7106 SSRF vulnerability via templates 11/12/18
CST-7105 LDAP injection 11/12/18
CST-7104 Multiple permission vulnerabilities in 7.1 CE GA1 11/12/18
CST-7103 Multiple XSS vulnerabilities in 7.1 CE GA1 11/12/18
CST-7102 Open redirect vulnerability with Blogs RSS and tunnel-web 11/9/18
CST-7101 Password changes does not terminate other sessions 11/9/18
Vulnerabilities archive for past releases: 6.2 CE | 7.0 CE

Additional Known Vulnerabilities

Liferay Portal Liferay Faces