CVE-2020-15842 — Deserialization of Untrusted Data in Portal

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 31.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedJul 20

Latest updateMay 24

Description

Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal< 7.3.0

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability↗2022-05-24

▶

GHSA

Liferay Portal and Liferay DXP have Insecure Deserialization Vulnerability↗2022-05-24

▶

CVEList

CVE-2020-15842: Liferay Portal before 7↗2020-07-20

▶