PT-2020-13545 · Liferay · Liferay Portal+1
Published
2020-06-10
·
Updated
2022-05-24
·
CVE-2020-13444
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions prior to 7.3.2
Liferay DXP versions prior to 7.0 fix pack 92
Liferay DXP versions prior to 7.1 fix pack 18
Liferay DXP versions prior to 7.2 fix pack 5
Description
The issue concerns the DDMDataProvider API, which does not properly sanitize the information it returns. This allows remote authenticated users to obtain the password to REST Data Providers.
Recommendations
For Liferay Portal versions prior to 7.3.2, update to version 7.3.2 or later.
For Liferay DXP versions prior to 7.0 fix pack 92, apply fix pack 92 or later.
For Liferay DXP versions prior to 7.1 fix pack 18, apply fix pack 18 or later.
For Liferay DXP versions prior to 7.2 fix pack 5, apply fix pack 5 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal