Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the Reporting page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.

Liferay Portal 6.2 CE GA1 (6.2.0)

Title Create Date
LPS-43809 Various XSS Issues in Liferay Portal 6.2.0 2/24/15

Liferay Portal 6.2 CE GA2 (6.2.1)

Title Create Date
LPS-45661 Various XSS issues in 6.2.1 3/20/15
LPS-46552 - Struts 1 Classloader manipulation 3/20/15
LPS-47460 - Struts 1 Classloader manipulation (Generic fix) 3/20/15
LPS-47428 Various XSS issues in 6.2.1 (Part 2) 3/20/15
LPS-47093 CVE-2014-0050 DoS using Apache Commons FileUpload 3/20/15
LPS-48071 Various XSS issues in 6.2.1 (Part 3) 3/20/15
LPS-48763 Guest users can obtain list of sites and workflow definition 3/18/15
LPS-48667 Multiple unvalidated redirects in 6.2.1 3/18/15
LPS-51061 HTTP host header manipulation 3/17/15
LPS-51094 Various XSS issues in 6.2.1 (Part 4) 2/24/15

Liferay Portal 6.2 CE GA3 (6.2.2)

Title Create Date
LPS-54386 XML external entity (XXE) processing vulnerability in 6.2.2 3/20/15
LPS-54382 Insecure handling of authentication information in 6.2.2 3/20/15
LPS-54384 User enumeration with Sign In portlet in 6.2.2 3/20/15
LPS-54306 Incorrect permission checking in 6.2.2 3/20/15
LPS-54303 Various XSS issues in 6.2.2 3/19/15

Liferay Portal 6.2 CE GA4 (6.2.3)

Title Create Date
LPS-58018 XSL Content portlet can be configured with any XML/XSL 9/9/15
LPS-58015 CSRF attack using uploaded flash files 9/9/15
LPS-58014 XXE vulnerability in OpenID authentication 9/9/15
LPS-57597 Path traversal vulnerability with plugins 9/9/15
LPS-57595 Email header injection vulnerability 9/9/15
LPS-57582 Various permission issues in 6.2.3 9/9/15
LPS-57553 Old password reset links are not invalidated 9/9/15
LPS-57552 DoS and information leak vulnerability with GenericPortlet 9/9/15
LPS-57532 Various XSS issues in 6.2.3 9/9/15

Liferay Portal 6.2 CE GA6 (6.2.5)

Title Create Date
CST-6236 Various XSS issues in 6.2.5 (Part 2) 6/27/17
CST-6235 User credentials appear in logs 6/27/17
CST-6234 Insufficient permission checking in Message Board and Comments 6/27/17
CST-6233 Page configuration information disclosure 6/27/17
LPS-64547 Remote code execution and privilege escalation in templates 6/15/16
LPS-64444 Digest authentication does not respect password policies 6/15/16
LPS-64443 Password reminder answer disclosure 6/15/16
LPS-64442 Open redirect vulnerability 6/15/16
LPS-64441 Java Serialization Vulnerability 6/15/16
LPS-64440 Various XSS issues in 6.2.5 6/15/16
LPS-64438 Various permission issues in 6.2.5 6/15/16