CVE-2020-15840

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
liferaydigital_experience_platform
7.0
liferaydigital_experience_platform
7.1
liferaydigital_experience_platform
7.2
liferayliferay_portal
𝑥
< 7.3.1
liferayliferay_portal
6.2
𝑥
= Vulnerable software versions
References
https://issues.liferay.com/browse/LPE-17046
https://portal.liferay.dev/learn/security/known-vulnerabilities
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204
https://issues.liferay.com/browse/LPE-17046
https://portal.liferay.dev/learn/security/known-vulnerabilities
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204