Description
Kaleo Forms Admin in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP request.
Severity
7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay DXP 7.4 GA
- Liferay DXP 7.3 GA through update 27
- Liferay DXP 7.2
- Liferay DXP 7.1
- Liferay DXP 7.0
- Liferay Kaleo Forms 2.x
Fixed Version(s)
- Liferay Portal 7.4.3.5
- Liferay DXP 7.4 update 1
- Liferay DXP 7.3 update 28
Publication date: Fri, 04 Oct 2024 14:17:00 +0000