Input validation error in Liferay Enterprise Portal - CVE-2020-13445

 

Input validation error in Liferay Enterprise Portal - CVE-2020-13445

Published: June 10, 2020 / Updated: August 8, 2020


Vulnerability identifier: #VU34348
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-13445
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.


How to mitigate CVE-2020-13445

Install update from vendor's website.

Sources