CST-7302 Remote code execution with FreeMarker/Velocity templates

Description

In Liferay Portal before 7.3.2, the template API does not restrict user access to to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.

Workaround: Review users who have permission to add and edit FreeMarker/Velocity templates. Only trusted users should be granted with the necessary permissions to add and edit templates. Reviewing the owners of existing templates may also be necessary as they have full privileges over their given templates.

Severity

Severity 1

Fixed Version(s)

Notes

CVE-2020-13445 has been assigned to this vulnerability.

Acknowledgments

This issue was reported by Alvaro Muñoz (@pwntester)

Publication date: Tue, 09 Jun 2020 02:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.