logo

Database

Lack of data validation In com.liferay.portal:release.portal.bom

Description

Liferay Portal and Liferay DXP Vulnerable to Arbitrary Code Execution In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-134452. NVD-2020-134453. OSV-2020-134454. https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce5. GCVE-2020-13445

References

1. https://issues.liferay.com/browse/LPE-170232. https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.