8.8
CVE-2020-13445
- EPSS 3.71%
- Published 10.06.2020 19:15:09
- Last modified 21.11.2024 05:01:17
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
Data is provided by the National Vulnerability Database (NVD)
Liferay ≫ Liferay Portal Version7.1 Updatega1 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.1 Updatega2 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.1 Updatega3 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.1.1 Updatega2 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.2 Updatega1 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.3 Updatega1 SwEditioncommunity
Liferay ≫ Liferay Portal Version7.3 Updatega2 SwEditioncommunity
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.71% | 0.875 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.