Liferay JSON service API authentication vulnerability
Description
The Liferay JSON service API fails to verify whether user accounts are disabled before processing method calls. This authentication flaw commonly affects the default administrator account (test@liferay.com), which is often disabled after creating a new administrator but left with its default password unchanged. Attackers can leverage this disabled account to execute unauthorized JSON API calls, bypassing intended access controls.
Remediation
1. Immediately upgrade to the latest patched version of Liferay that addresses this authentication bypass vulnerability
2. Change the default password for the test@liferay.com account before disabling it, or delete the account entirely if not needed
3. Audit all user accounts, especially those with administrative privileges, to ensure disabled accounts cannot be used for authentication
4. Review JSON API access logs for any suspicious activity or unauthorized method calls
5. Implement network-level restrictions to limit JSON API access to trusted IP addresses where possible
6. After upgrading, verify that disabled user accounts are properly rejected during authentication attempts