Community Security Team

The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay Portal.

The Liferay Community Security Team pages have moved to the Liferay Developer Network - Community Security Team. Please update your bookmarks, as this page will eventually be removed.

Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the CST Process page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.  

Quick Links

Liferay Faces 3.x/4.x

Titel Datum erstellen
CST-SA: FACES-1917 Security vulnerability with _jsfBridgeViewId, _facesViewIdRender, and _facesViewIdResource URL parameter values 14.05.14

Liferay Portal 6.1 CE GA1 (6.1.0)

Titel Datum erstellen
CST-SA: LPS-28934 Delete any file on the server (Wiki) 31.07.12
CST-SA: LPS-28836 Directory traversal with document conversion 26.07.12
CST-SA: LPS-28423 Delete any file on the server 09.07.12
CST-SA: LPS-26930 Reconfigure Liferay to use a remote cache 09.07.12
CST-SA: LPS-28358 SecureFilter can be bypassed 06.07.12
CST-SA: LPS-28309 Directory Traversal 06.07.12
CST-SA: LPS-26940 Users without the ASSIGN_MEMBER permission can still assign users to an organization 06.07.12
CST-SA: LPS-26935 All JSON web services are accessible without authentication. 06.07.12
CST-SA: LPS-27726 Remote code execution in Calendar portlet 06.07.12

Liferay Portal 6.1 CE GA2 (6.1.1)

Titel Datum erstellen
CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1 02.04.13
CST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS 02.04.13
CST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission check 02.04.13
CST-SA: LPS-31063 XSS vulnerability with swfuploader 02.04.13
CST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS) 02.04.13
CST-SA: LPS-29872 Organization admin of sub organization can export users of parent organization 02.04.13
CST-SA: LPS-29341 Posting messages in foreign Message Boards 02.04.13
CST-SA: LPS-29268 Simple DOS attack on PortletPreferences 02.04.13
CST-SA: LPS-30437 Users without permission can create folders/files in the root folder 16.11.12
CST-SA: LPS-28550 Able to view any journal structure/template's source 16.11.12
CST-SA: LPS-30796 Delete any file on the server (Knowledge Base) 16.11.12
CST-SA: LPS-30093 Organization administrators can change an omni-admin's password 23.10.12
CST-SA: LPS-29338 XSS in group membership requests 23.10.12
CST-SA: LPS-29148 Private announcements can be viewed through announcement edit 23.10.12
CST-SA: LPS-29061 created by setupwizard even when different user specified 23.10.12
CST-SA: LPS-30586 Able to delete any user by created URL 23.10.12

Liferay Portal 6.2 CE GA1 (6.2.0)

Titel Datum erstellen
CST-SA: LPS-43809 Various XSS Issues in Liferay Portal 6.2.0 13.02.14

Liferay Portal 6.2 CE GA2 (6.2.1)

Titel Datum erstellen
CST-SA: LPS-51094 Various XSS issues in 6.2.1 (Part 4) 11.11.14
CST-SA: LPS-51061 HTTP host header manipulation 11.11.14
CST-SA: LPS-48763 Guest users can obtain list of sites and workflow definition 29.07.14
CST-SA: LPS-48667 Multiple unvalidated redirects in 6.2.1 29.07.14
CST-SA: LPS-48071 Various XSS issues in 6.2.1 (Part 3) 29.07.14
CST-SA: LPS-47093 CVE-2014-0050 DoS using Apache Commons FileUpload 16.06.14
CST-SA: LPS-47428 Various XSS issues in 6.2.1 (Part 2) 16.06.14
CST-SA: LPS-47460 - Struts 1 Classloader manipulation (Generic fix) 16.06.14
CST-SA: LPS-46552 - Struts 1 Classloader manipulation 07.05.14
CST-SA: LPS-45661 Various XSS issues in 6.2.1 22.04.14
CST-SA: LPS-45697 Phishing vulnerability in SessionClickAction 22.04.14
CST-SA: LPS-45701 Users can add any portlet to a page by manipulating the URL 22.04.14