CVE-2020-13444Sensitive Information Exposure in Portal

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 51.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Liferay Portal
Timeline
PublishedJun 10
Latest updateMay 24

Description

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDliferay/liferay_portal4 versions+3

Patches

Patch: portal.liferay.devPatch: portal.liferay.dev

🔴Vulnerability Details

3
GHSA
Liferay Portal and Liferay DXP Fails to Sanitize API Data2022-05-24
OSV
Liferay Portal and Liferay DXP Fails to Sanitize API Data2022-05-24
CVEList
CVE-2020-13444: Liferay Portal 72020-06-10