PT-2020-14663 · Liferay · Liferay Portal+1
Published
2020-09-24
·
Updated
2025-05-13
·
CVE-2020-15840
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions prior to 7.3.1
Liferay Portal 6.2 EE
Liferay DXP versions prior to 7.2
Description
The issue allows the property 'portlet.resource.id.banned.paths.regexp' to be bypassed using doubled encoded URLs.
Recommendations
For Liferay Portal versions prior to 7.3.1, update to version 7.3.1 or later.
For Liferay Portal 6.2 EE, consider disabling the use of the 'portlet.resource.id.banned.paths.regexp' property until a patch is available.
For Liferay DXP versions prior to 7.2, update to version 7.2 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal