Description
Liferay Portal 6.2.5 and earlier does not properly check permissions, which allows remote authenticated users to impersonate, edit, or delete administrators.
Workaround: Remove the User.DELETE, User.IMPERSONATE, User.PERMISSIONS and User.UPDATE permissions from and role or user.
Severity
Severity 1
Fixed Version(s)
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Mon, 02 Mar 2020 07:21:00 +0000