Description

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

Remediation

References

CVE-2020-15840

Related Vulnerabilities

MySQL CVE-2019-2581 Vulnerability (CVE-2019-2581)

Oracle JRE CVE-2013-2434 Vulnerability (CVE-2013-2434)

Oracle JRE CVE-2014-0452 Vulnerability (CVE-2014-0452)

WordPress Plugin All-in-One Event Calendar Multiple Cross-Site Scripting Vulnerabilities (1.5)

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-4056)

Severity

Medium

Classification

CVE-2020-15840 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities