Community Security Team

The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay Portal.

Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the CST Process page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.  

Quick Links

Liferay Portal 6.1 CE GA1 (6.1.0)

Title Create Date
CST-SA: LPS-28934 Delete any file on the server (Wiki) 7/31/12
CST-SA: LPS-28836 Directory traversal with document conversion 7/26/12
CST-SA: LPS-28423 Delete any file on the server 7/9/12
CST-SA: LPS-26930 Reconfigure Liferay to use a remote cache 7/9/12
CST-SA: LPS-28358 SecureFilter can be bypassed 7/6/12
CST-SA: LPS-28309 Directory Traversal 7/6/12
CST-SA: LPS-26940 Users without the ASSIGN_MEMBER permission can still assign users to an organization 7/6/12
CST-SA: LPS-26935 All JSON web services are accessible without authentication. 7/6/12
CST-SA: LPS-27726 Remote code execution in Calendar portlet 7/6/12

Liferay Portal 6.1 CE GA2 (6.1.1)

Title Create Date
CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1 4/2/13
CST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS 4/2/13
CST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission check 4/2/13
CST-SA: LPS-31063 XSS vulnerability with swfuploader 4/2/13
CST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS) 4/2/13
CST-SA: LPS-29872 Organization admin of sub organization can export users of parent organization 4/2/13
CST-SA: LPS-29341 Posting messages in foreign Message Boards 4/2/13
CST-SA: LPS-29268 Simple DOS attack on PortletPreferences 4/2/13
CST-SA: LPS-30437 Users without permission can create folders/files in the root folder 11/16/12
CST-SA: LPS-28550 Able to view any journal structure/template's source 11/16/12
CST-SA: LPS-30796 Delete any file on the server (Knowledge Base) 11/16/12
CST-SA: LPS-30093 Organization administrators can change an omni-admin's password 10/23/12
CST-SA: LPS-29338 XSS in group membership requests 10/23/12
CST-SA: LPS-29148 Private announcements can be viewed through announcement edit 10/23/12
CST-SA: LPS-29061 test@liferay.com created by setupwizard even when different user specified 10/23/12
CST-SA: LPS-30586 Able to delete any user by created URL 10/23/12

Liferay Portal 6.2 CE GA1 (6.2.0)

Title Create Date
CST-SA: LPS-43809 Various XSS Issues in Liferay Portal 6.2.0 2/13/14