Liferay Portal and Liferay DXP Virtual Instance Page Addition Vulnerability

A vulnerability exists in Liferay Portal versions 7.4.0 to 7.4.3.132 and in several Liferay DXP releases, including 2025.Q1.0, 2024.Q4.0 to 2024.Q4.7, 2024.Q3.0 to 2024.Q3.13, 2024.Q2.0 to 2024.Q2.13, and 2024.Q1.1 to 2024.Q1.14. This vulnerability allows admin users of a virtual instance to add pages outside the default virtual instance. Consequently, any tenant can compile a list of all other tenants.

Impact

Exploitation of this vulnerability could lead to unauthorized visibility of tenant information, allowing one tenant to see the existence of other tenants within the same Liferay DXP instance.

Remediation

Users can upgrade to Liferay Portal's master branch or to Liferay DXP versions 2025.Q2.0, 2025.Q1.1, or 2024.Q1.15. For Liferay DXP 2024.Q4, users should upgrade to 2024.Q4.8.