CST-7063 Pingback vulnerability in blogs

Description

Server side request forgery (SSRF) vulnerability in pingback functionality of blogs in Liferay Portal before 7.1.0 allows remote attackers to send HTTP requests to intranet servers and conduct port-scanning attacks by specifying a crafted source URL.

Workaround:

Disable pingback from portal.properties using blogs.pingbacks.enabled=false

Severity

Severity 1

Fixed Version(s)

Acknowledgments

This issue was reported by Christian Mehlmauer

Publication date: Mon, 02 Mar 2020 07:21:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.