Description
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
Remediation
References
Related Vulnerabilities
WordPress Plugin Adminimize 'page' Parameter Cross-Site Scripting (1.7.21)
Ruby Cryptographic Issues Vulnerability (CVE-2011-2686)
WordPress Plugin Wunderbar Basic Cross-Site Scripting (1.1.3)
WordPress Plugin Cms Pack TimThumb Arbitrary File Upload (1.3)
WordPress Plugin YITH WooCommerce Zoom Magnifier Cross-Site Scripting (1.1.8)