PT-2020-13546 · Liferay · Liferay Portal+1

Alvaro Munoz

Published

2020-06-10

Updated

2022-05-24

CVE-2020-13445

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Liferay Portal versions prior to 7.3.2 Liferay DXP 7.0 versions prior to fix pack 92 Liferay DXP 7.1 versions prior to fix pack 18 Liferay DXP 7.2 versions prior to fix pack 6

Description The template API does not restrict user access to sensitive objects, allowing remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.

Recommendations For Liferay Portal versions prior to 7.3.2, update to version 7.3.2 or later. For Liferay DXP 7.0 versions prior to fix pack 92, apply fix pack 92 or later. For Liferay DXP 7.1 versions prior to fix pack 18, apply fix pack 18 or later. For Liferay DXP 7.2 versions prior to fix pack 6, apply fix pack 6 or later.

Exploit

Fix

Special Elements Injection

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-862

Related Identifiers

CVE-2020-13445

GHSA-V377-8F8F-532H

Affected Products

Liferay Dxp

Liferay Portal

PT-2020-13546 · Liferay · Liferay Portal+1

CVE-2020-13445

Weakness Enumeration

Related Identifiers

Affected Products

References · 8