Main Vulnerability Database Vulnerabilities #VU34348

Input validation error in Liferay Enterprise Portal - CVE-2020-13445

Published: June 10, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34348

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-13445

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Liferay Enterprise Portal

Software vendor:
Liferay

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.

Remediation

Install update from vendor's website.

External links

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411

Input validation error in Liferay Enterprise Portal - CVE-2020-13445

Description

Remediation

External links

Please verify you're human