Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-17233

LSV-822: SQL/HQL Injection in Commerce Address Web & Commerce Product Service

    Details

    • CVE IDs:
      CVE-2021-29053

      Description

      Multiple SQL injection vulnerabilities in Liferay DXP allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

        Attachments

          Activity

            People

            Assignee:
            support-ee EE Support
            Reporter:
            tibor.lipusz Tibor Lipusz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                7.3.X EE