CVE-2020-15840
MEDIUM5.3EPSS 0.19%Liferay Portal and Liferay DXP Bypass via Double Encoded URL
發布日:2022/5/24修改日:2025/5/28
描述
In Liferay Portal before 7.3.1, com.liferay.portal:com.liferay.portal.impl before 7.1.3 and 7.4.0, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
受影響套件(3)
- Maven/com.liferay.portal:com.liferay.portal.impl>= 7.2.0, < 7.4.0
- Maven/com.liferay.portal:release.dxp.bomfrom 0, < 7.0.10.fp93
- Maven/com.liferay.portal:release.portal.bomfrom 0, < 7.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-15840
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://issues.liferay.com/browse/LPE-17046
- WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities
- WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204
- WEBhttps://security.snyk.io/vuln/SNYK-JAVA-COMLIFERAYPORTAL-1296538