Can Acunetix scan Liferay Portal for known CVEs?

Yes. Acunetix includes a dedicated library of Liferay vulnerability checks and automatically tests those relevant to the detected version. This includes validation of exploitability, not just detection.

What are the most critical Liferay vulnerabilities today?

Critical risks include CVE-2020-7961 (remote code execution with active exploitation), multiple XSS vulnerabilities across modules, access control bypasses such as CVE-2022-42126, and more recent denial-of-service vulnerabilities affecting availability.

Is CVE-2022-42126 still a risk?

Yes. It affects Liferay Portal versions 7.3.5 through 7.4.3.28 and cannot be patched in certain release tracks. The only effective remediation is upgrading to a supported version.

What percentage of Liferay portals run vulnerable versions?

Outdated deployments are common in enterprise Liferay environments due to the complexity of upgrades and reliance on Maintenance Mode support tracks. Because some vulnerabilities are not patched in older versions, organizations often remain exposed until a full upgrade is completed.

How do I check which CVEs affect my installation?

Automated scanning is the most reliable method. Acunetix fingerprints your version and tests applicable vulnerabilities directly, confirming whether they are exploitable.

Does Acunetix detect vulnerabilities that require authentication?

Yes. Acunetix supports authenticated scanning and evaluates vulnerabilities that require user-level access, including access control flaws and stored cross-site scripting.

Why is continuous scanning necessary?

Because vulnerabilities are disclosed frequently and exploitation timelines are short, continuous scanning ensures that new risks are identified and addressed as soon as they appear.

Author Archives Zbigniew Banach

THE AUTHOR

Zbigniew Banach
Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.

Liferay vulnerability scanner: How to detect and remediate CVEs in Liferay Portal and DXP

Web Security Zone | June 9, 2026 by Zbigniew Banach

Liferay environments face a growing volume of CVEs and limited patch paths for older versions. This guide explains which vulnerabilities matter, how they are exploited, and how Acunetix scans Liferay Portal and DXP to identify real risk.

IIS security best practices: How to secure an IIS server and web applications

Web Security Zone | May 27, 2026 by Zbigniew Banach

Learn how to secure Microsoft IIS with practical hardening best practices, attacker-focused insights, and continuous validation strategies. This guide covers common IIS misconfigurations, real-world exploitation techniques, and how to protect web applications running on IIS servers.

SNI proxy SSRF vulnerabilities: Misconfigurations, exploitation, and defense

Web Security Zone | May 26, 2026 by Zbigniew Banach

SNI proxy SSRF is a lesser-known but high-impact vulnerability class where misconfigured proxies route traffic based on attacker-controlled TLS metadata. Under specific conditions, this can expose internal services and even cloud metadata endpoints in AWS and Azure. This article explains how these attacks work, when they are exploitable, and how to defend against them.

What is an IDOR vulnerability?

Web Security Zone | May 22, 2026 by Zbigniew Banach

Insecure direct object references (IDOR) are a type of access control vulnerability where an application exposes internal object identifiers – such as user IDs, order numbers, or file names – without verifying whether the requesting user is authorized to access them. IDOR is no longer…

Your session cookies are probably misconfigured: How to fix cookie security flags

Web Security Zone | May 21, 2026 by Zbigniew Banach

Understand how to correctly implement cookie security flags in modern web applications. Includes practical examples, browser behavior nuances, and guidance on HttpOnly, Secure, and SameSite settings.

Top 10 dynamic application security testing (DAST) tools for 2025

Web Security Zone | March 20, 2025 by Zbigniew Banach

This guide explores the top 10 DAST tools for 2025, highlighting the best commercial solutions as well as open-source options. Learn how the right tools can help you build DAST-first AppSec to secure your applications in production, integrate with DevSecOps, and minimize your web application security risk.

Take action and discover your vulnerabilities