Community Security Team

The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay Portal.

The Liferay Community Security Team pages have moved to the Liferay Developer Network - Community Security Team. Please update your bookmarks, as this page will eventually be removed.

Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the CST Process page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.  

Quick Links

Liferay Faces 3.x/4.x

Title Create Date
CST-SA: FACES-1917 Security vulnerability with _jsfBridgeViewId, _facesViewIdRender, and _facesViewIdResource URL parameter values 5/14/14

Liferay Portal 6.1 CE GA1 (6.1.0)

Title Create Date
CST-SA: LPS-28934 Delete any file on the server (Wiki) 7/31/12
CST-SA: LPS-28836 Directory traversal with document conversion 7/26/12
CST-SA: LPS-28423 Delete any file on the server 7/9/12
CST-SA: LPS-26930 Reconfigure Liferay to use a remote cache 7/9/12
CST-SA: LPS-28358 SecureFilter can be bypassed 7/6/12
CST-SA: LPS-28309 Directory Traversal 7/6/12
CST-SA: LPS-26940 Users without the ASSIGN_MEMBER permission can still assign users to an organization 7/6/12
CST-SA: LPS-26935 All JSON web services are accessible without authentication. 7/6/12
CST-SA: LPS-27726 Remote code execution in Calendar portlet 7/6/12

Liferay Portal 6.1 CE GA2 (6.1.1)

Title Create Date
CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1 4/2/13
CST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS 4/2/13
CST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission check 4/2/13
CST-SA: LPS-31063 XSS vulnerability with swfuploader 4/2/13
CST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS) 4/2/13
CST-SA: LPS-29872 Organization admin of sub organization can export users of parent organization 4/2/13
CST-SA: LPS-29341 Posting messages in foreign Message Boards 4/2/13
CST-SA: LPS-29268 Simple DOS attack on PortletPreferences 4/2/13
CST-SA: LPS-30437 Users without permission can create folders/files in the root folder 11/16/12
CST-SA: LPS-28550 Able to view any journal structure/template's source 11/16/12
CST-SA: LPS-30796 Delete any file on the server (Knowledge Base) 11/16/12
CST-SA: LPS-30093 Organization administrators can change an omni-admin's password 10/23/12
CST-SA: LPS-29338 XSS in group membership requests 10/23/12
CST-SA: LPS-29148 Private announcements can be viewed through announcement edit 10/23/12
CST-SA: LPS-29061 created by setupwizard even when different user specified 10/23/12
CST-SA: LPS-30586 Able to delete any user by created URL 10/23/12

Liferay Portal 6.2 CE GA1 (6.2.0)

Title Create Date
CST-SA: LPS-43809 Various XSS Issues in Liferay Portal 6.2.0 2/13/14

Liferay Portal 6.2 CE GA2 (6.2.1)

Title Create Date
CST-SA: LPS-51094 Various XSS issues in 6.2.1 (Part 4) 11/11/14
CST-SA: LPS-51061 HTTP host header manipulation 11/11/14
CST-SA: LPS-48763 Guest users can obtain list of sites and workflow definition 7/29/14
CST-SA: LPS-48667 Multiple unvalidated redirects in 6.2.1 7/29/14
CST-SA: LPS-48071 Various XSS issues in 6.2.1 (Part 3) 7/29/14
CST-SA: LPS-47093 CVE-2014-0050 DoS using Apache Commons FileUpload 6/16/14
CST-SA: LPS-47428 Various XSS issues in 6.2.1 (Part 2) 6/16/14
CST-SA: LPS-47460 - Struts 1 Classloader manipulation (Generic fix) 6/16/14
CST-SA: LPS-46552 - Struts 1 Classloader manipulation 5/7/14
CST-SA: LPS-45661 Various XSS issues in 6.2.1 4/22/14
CST-SA: LPS-45697 Phishing vulnerability in SessionClickAction 4/22/14
CST-SA: LPS-45701 Users can add any portlet to a page by manipulating the URL 4/22/14