logo

Database

SQL injection - Code In com.liferay.portal:release.portal.bom

Description

Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-290532. NVD-2021-290533. OSV-2021-290534. GCVE-2021-29053

References

1. https://web.archive.org/web/20221121171927/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/1207782252. http://liferay.com

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.