In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
References
Link | Resource |
---|---|
https://issues.liferay.com/browse/LPE-17046 | Issue Tracking Vendor Advisory |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204 | Vendor Advisory |
https://portal.liferay.dev/learn/security/known-vulnerabilities | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2020-09-24 08:15
Updated : 2020-10-07 04:36
NVD link : CVE-2020-15840
Mitre link : CVE-2020-15840
JSON object : View
CWE
Products Affected
liferay
- liferay_portal
- dxp