Description
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317411
Patch, Vendor Advisory x_refsource_misc
https://issues.liferay.com/browse/LPE-17023
Exploit, Third Party Advisory x_refsource_misc
https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce
Scores
CVSS v3
8.8
EPSS
0.0371
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
CWE-74
Status
published
Products (6)
com.liferay.portal/release.dxp.bom
7.0.0 - 7.0.10.fp92Maven
com.liferay.portal/release.portal.bom
0 - 7.3.2Maven
liferay/liferay_portal
7.1 ga1 (3 CPE variants)
liferay/liferay_portal
7.1.1 ga2
liferay/liferay_portal
7.2 ga1
liferay/liferay_portal
7.3 ga1 (2 CPE variants)
Published
Jun 10, 2020
Tracked Since
Feb 18, 2026