Community Security Team

The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay Portal.

The Liferay Community Security Team pages have moved to the Liferay Developer Network - Community Security Team. Please update your bookmarks, as this page will eventually be removed.

Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the CST Process page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.  

Quick Links

Liferay Faces 3.x/4.x

タイトル 作成日時
CST-SA: FACES-1917 Security vulnerability with _jsfBridgeViewId, _facesViewIdRender, and _facesViewIdResource URL parameter values 14/05/14

Liferay Portal 6.1 CE GA1 (6.1.0)

タイトル 作成日時
CST-SA: LPS-28934 Delete any file on the server (Wiki) 12/07/31
CST-SA: LPS-28836 Directory traversal with document conversion 12/07/26
CST-SA: LPS-28423 Delete any file on the server 12/07/09
CST-SA: LPS-26930 Reconfigure Liferay to use a remote cache 12/07/09
CST-SA: LPS-28358 SecureFilter can be bypassed 12/07/06
CST-SA: LPS-28309 Directory Traversal 12/07/06
CST-SA: LPS-26940 Users without the ASSIGN_MEMBER permission can still assign users to an organization 12/07/06
CST-SA: LPS-26935 All JSON web services are accessible without authentication. 12/07/06
CST-SA: LPS-27726 Remote code execution in Calendar portlet 12/07/06

Liferay Portal 6.1 CE GA2 (6.1.1)

タイトル 作成日時
CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1 13/04/02
CST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS 13/04/02
CST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission check 13/04/02
CST-SA: LPS-31063 XSS vulnerability with swfuploader 13/04/02
CST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS) 13/04/02
CST-SA: LPS-29872 Organization admin of sub organization can export users of parent organization 13/04/02
CST-SA: LPS-29341 Posting messages in foreign Message Boards 13/04/02
CST-SA: LPS-29268 Simple DOS attack on PortletPreferences 13/04/02
CST-SA: LPS-30437 Users without permission can create folders/files in the root folder 12/11/16
CST-SA: LPS-28550 Able to view any journal structure/template's source 12/11/16
CST-SA: LPS-30796 Delete any file on the server (Knowledge Base) 12/11/16
CST-SA: LPS-30093 Organization administrators can change an omni-admin's password 12/10/23
CST-SA: LPS-29338 XSS in group membership requests 12/10/23
CST-SA: LPS-29148 Private announcements can be viewed through announcement edit 12/10/23
CST-SA: LPS-29061 created by setupwizard even when different user specified 12/10/23
CST-SA: LPS-30586 Able to delete any user by created URL 12/10/23

Liferay Portal 6.2 CE GA1 (6.2.0)

タイトル 作成日時
CST-SA: LPS-43809 Various XSS Issues in Liferay Portal 6.2.0 14/02/13

Liferay Portal 6.2 CE GA2 (6.2.1)

タイトル 作成日時
CST-SA: LPS-51094 Various XSS issues in 6.2.1 (Part 4) 14/11/11
CST-SA: LPS-51061 HTTP host header manipulation 14/11/11
CST-SA: LPS-48763 Guest users can obtain list of sites and workflow definition 14/07/29
CST-SA: LPS-48667 Multiple unvalidated redirects in 6.2.1 14/07/29
CST-SA: LPS-48071 Various XSS issues in 6.2.1 (Part 3) 14/07/29
CST-SA: LPS-47093 CVE-2014-0050 DoS using Apache Commons FileUpload 14/06/16
CST-SA: LPS-47428 Various XSS issues in 6.2.1 (Part 2) 14/06/16
CST-SA: LPS-47460 - Struts 1 Classloader manipulation (Generic fix) 14/06/16
CST-SA: LPS-46552 - Struts 1 Classloader manipulation 14/05/07
CST-SA: LPS-45661 Various XSS issues in 6.2.1 14/04/22
CST-SA: LPS-45697 Phishing vulnerability in SessionClickAction 14/04/22
CST-SA: LPS-45701 Users can add any portlet to a page by manipulating the URL 14/04/22