Description

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

Remediation

References

CVE-2020-15840

Related Vulnerabilities

Roundcube Cross-site Scripting (XSS) Vulnerability (CVE-2015-8793)

Joomla Improper Check for Unusual or Exceptional Conditions Vulnerability (CVE-2021-26038)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-3829)

WordPress Plugin Uploadify Integration Multiple Cross-Site Scripting Vulnerabilities (0.9.6)

WordPress Plugin WP Glossary 'ajax.php' SQL Injection (0.1)

Severity

Medium

Classification

CVE-2020-15840 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities