-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
-
Component/s: Portal Services > Templates Engine, Security Vulnerability
-
Business Value:5
-
CVE IDs:CVE-2020-13445
-
CVSS Base Score:9.9
-
CVSS Vector String:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
-
7.0 Fix Pack Version:92
-
7.1 Fix Pack Version:18
-
7.2 Fix Pack Version:6
In Liferay DXP 7.0, 7.1 and 7.2, the template API gives users access to sensitive objects, which allows remote authenticated users to execute arbitrary code via FreeMarker and Velocity templates.
See also in Help Center: https://help.liferay.com/hc/en-us/articles/360044036131