PT-2020-14665 · Liferay · Liferay Portal+1
Published
2020-07-20
·
Updated
2025-05-13
·
CVE-2020-15842
CVSS v3.1
8.1
High
| Vector | AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions prior to 7.3.0
Liferay DXP 7.0 versions prior to fix pack 90
Liferay DXP 7.1 versions prior to fix pack 17
Liferay DXP 7.2 versions prior to fix pack 5
Description
The issue allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
Recommendations
For Liferay Portal versions prior to 7.3.0, update to version 7.3.0 or later.
For Liferay DXP 7.0 versions prior to fix pack 90, apply fix pack 90 or later.
For Liferay DXP 7.1 versions prior to fix pack 17, apply fix pack 17 or later.
For Liferay DXP 7.2 versions prior to fix pack 5, apply fix pack 5 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal