CVE-2020-15840
Liferay Portal and Liferay DXP Bypass via Double Encoded URL
5.3
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
In Liferay Portal before 7.3.1, com.liferay.portal:com.liferay.portal.impl before 7.1.3 and 7.4.0, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
How to fix CVE-2020-15840
To remediate CVE-2020-15840, upgrade the affected package to a fixed version below.
- —upgrade to 7.4.0 or later
- —upgrade to 7.0.10.fp93 or later
- —upgrade to 7.3.1 or later
Is CVE-2020-15840 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 7.2.0, < 7.4.0
- from 0, < 7.0.10.fp93
- from 0, < 7.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |