Description
Liferay Portal 7.1.0 and earlier contains a path traversal vulnerability in Web Content templates and Application Display Templates (ADT). The vulnerability allows any user with permission to create templates to read any file on the system.
Workaround: Review your portal permissions and ensure only trusted users have permission to add/edit Web Content templates and ADTs.
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.1.1
- March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page.
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Wed, 21 Nov 2018 08:19:00 +0000