Description
SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
Severity
8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay Portal 7.0.0 through 7.4.3.21
- Liferay DXP 7.4 GA through Update 9
- Liferay DXP 7.3 GA through Update 25
- Liferay DXP 7.2
- Liferay DXP 7.1
- Liferay DXP 7.0
- Liferay Portal 6.2 EE
Fixed Version(s)
- Liferay Portal 7.4.3.22
- Liferay DXP 7.4 Update 10
- Liferay DXP 7.3 Update 26
Publication date: Mon, 07 Oct 2024 16:23:00 +0000