[LPE-17233] LSV-822: SQL/HQL Injection in Commerce Address Web & Commerce Product Service - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.3 DXP (7.3.10)
Fix Version/s: 7.3.X EE
Component/s: Commerce, Security Vulnerability
Labels:
- liferay-dxp-73-sp1
- liferay-fixpack-dxp-1-7310

CVE IDs:
CVE-2021-29053

Description

Multiple SQL injection vulnerabilities in Liferay DXP allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Tibor Lipusz

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 19/Mar/21 2:56 AM

Updated:: 11/May/21 7:58 PM

Resolved:: 11/May/21 7:57 PM

Packages

Version	Package
7.3.X EE