Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-15840

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.

Published

2020-09-24T15:15:14.080

Last Modified

2025-05-13T18:17:51.450

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	liferay	digital_experience_platform	7.0	Yes
Application	liferay	digital_experience_platform	7.1	Yes
Application	liferay	digital_experience_platform	7.2	Yes
Application	liferay	liferay_portal	< 7.3.1	Yes
Application	liferay	liferay_portal	6.2	Yes

References

https://issues.liferay.com/browse/LPE-17046 Issue Tracking, Vendor Advisory ([email protected])
https://portal.liferay.dev/learn/security/known-vulnerabilities Vendor Advisory ([email protected])
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204 Vendor Advisory ([email protected])
https://issues.liferay.com/browse/LPE-17046 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://portal.liferay.dev/learn/security/known-vulnerabilities Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)