CVE-2020-13444 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.0.0 <7.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00249 pctl0.48038

Details

Liferay Portal and Liferay DXP Fails to Sanitize API Data Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 19, and 7.2 before fix pack 7, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

Metadata

Created: 2022-05-24T17:20:05Z
Modified: 2025-05-14T07:26:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8j5r-9687-88w5/GHSA-8j5r-9687-88w5.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-8j5r-9687-88w5
Finding: F038
Auto approve: 1