CVE-2020-15839
Description
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP fail to restrict multipart form data size, allowing authenticated remote DoS via large file uploads.
Vulnerability
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, do not enforce a size limit on multipart/form-data POST requests [1]. This allows attackers to upload arbitrarily large files.
Exploitation
A remote authenticated user can craft a multipart request containing a file of excessive size and submit it to the application. No special privileges beyond standard authentication are needed; the vulnerability exists in the default configuration.
Impact
Successful exploitation exhausts server resources (memory, disk, CPU), leading to a denial-of-service condition. The application may become unresponsive or crash, affecting availability for legitimate users.
Mitigation
Liferay has addressed this issue in Portal 7.3.3, DXP 7.1 fix pack 18, and DXP 7.2 fix pack 6. Users should upgrade to these or later versions [1]. There is no workaround reported.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.dxp.bomMaven | < 7.1.10.fp18 | 7.1.10.fp18 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.1, < 7.2.10.fp6 | 7.2.10.fp6 |
Affected products
3- Liferay/Portaldescription
- osv-coords2 versions
>= 7.1.0, <= 7.1.0+ 1 more
- (no CPE)range: >= 7.1.0, <= 7.1.0
- (no CPE)range: < 7.1.10.fp18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-c7f6-4vx5-4263ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15839ghsaADVISORY
- issues.liferay.com/browse/LPE-17029ghsax_refsource_MISCWEB
- issues.liferay.com/browse/LPE-17055ghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilitiesghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119784928ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.