Input validation error in Liferay Enterprise Portal - CVE-2020-13444

 

Input validation error in Liferay Enterprise Portal - CVE-2020-13444

Published: June 10, 2020 / Updated: August 8, 2020


Vulnerability identifier: #VU34347
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-13444
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.


How to mitigate CVE-2020-13444

Install update from vendor's website.

Sources