Maven package
com.liferay.portal/release.dxp.bom
pkg:maven/com.liferay.portal/release.dxp.bom
Vulnerabilities (125)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-15839 | — | < 7.1.10.fp18 | 7.1.10.fp18 | Sep 22, 2020 | Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files. | ||
| CVE-2020-15842 | — | >= 7.0.0, < 7.0.10.fp90 | 7.0.10.fp90 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||
| CVE-2020-15841 | — | >= 7.0.0, < 7.0.10.fp89 | 7.0.10.fp89 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. | ||
| CVE-2020-13444 | — | >= 7.0.0, < 7.0.10.fp92 | 7.0.10.fp92 | Jun 10, 2020 | Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | ||
| CVE-2020-13445 | — | >= 7.0.0, < 7.0.10.fp92 | 7.0.10.fp92 | Jun 10, 2020 | In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker |
- CVE-2020-15839Sep 22, 2020affected < 7.1.10.fp18fixed 7.1.10.fp18
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.
- CVE-2020-15842Jul 20, 2020affected >= 7.0.0, < 7.0.10.fp90fixed 7.0.10.fp90
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
- CVE-2020-15841Jul 20, 2020affected >= 7.0.0, < 7.0.10.fp89fixed 7.0.10.fp89
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.
- CVE-2020-13444Jun 10, 2020affected >= 7.0.0, < 7.0.10.fp92fixed 7.0.10.fp92
Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.
- CVE-2020-13445Jun 10, 2020affected >= 7.0.0, < 7.0.10.fp92fixed 7.0.10.fp92
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker
Page 7 of 7