CVE-2020-15840 Information

Description

In Liferay Portal before 7.3.1 Liferay Portal 6.2 EE and Liferay DXP 7.2 DXP 7.1 and DXP 7.0 the property ‘portlet.resource.id.banned.paths.regexp’ can be bypassed with doubled encoded URLs.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://issues.liferay.com/browse/LPE-17046 https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3