Main Vulnerability Database Vulnerabilities #VU34347

Input validation error in Liferay Enterprise Portal - CVE-2020-13444

Published: June 10, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34347

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-13444

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Liferay Enterprise Portal

Software vendor:
Liferay

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

Remediation

Install update from vendor's website.

External links

https://issues.liferay.com/browse/LPE-17009
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396

Input validation error in Liferay Enterprise Portal - CVE-2020-13444

Description

Remediation

External links

Please verify you're human