Description
Liferay Portal before 7.3.1 does not decode a URL before determining if the resource should be served, which allows remote attackers to access restricted portlet resources (e.g., files within /META-INF and /WEB-IN) via double encoded URLs.
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.3.1
- September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.
Notes
CVE-2020-15840 has been assigned to this vulnerability.
Publication date: Mon, 31 Aug 2020 17:00:00 +0000