com.liferay:com.liferay.change.tracking.web 2.0.119 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.liferay:com.liferay.change.tracking.web package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Incorrect Authorization Affected versions of this package are vulnerable to Incorrect Authorization in the `_com_liferay_change_tracking_web_portlet_PublicationsPortlet_value` parameter. An attacker can access and modify publication comments by sending crafted URLs as an authenticated user. How to fix Incorrect Authorization? Upgrade `com.liferay:com.liferay.change.tracking.web` to version 2.0.121 or higher.	[,2.0.121)
M Authorization Bypass Through User-Controlled Key Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `_com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId` parameter. An attacker can access unauthorized publication edit pages by manipulating this parameter. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `com.liferay:com.liferay.change.tracking.web` to version 2.0.120 or higher.	[,2.0.120)
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the comment's add/edit endpoints. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into submitting malicious requests. How to fix Cross-site Request Forgery (CSRF)? Upgrade `com.liferay:com.liferay.change.tracking.web` to version 2.0.121 or higher.	[2.0.9,2.0.121)

Vulnerability

Vulnerable Version

Incorrect Authorization

Affected versions of this package are vulnerable to Incorrect Authorization in the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. An attacker can access and modify publication comments by sending crafted URLs as an authenticated user.

How to fix Incorrect Authorization?

Upgrade com.liferay:com.liferay.change.tracking.web to version 2.0.121 or higher.

[,2.0.121)

Authorization Bypass Through User-Controlled Key

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter. An attacker can access unauthorized publication edit pages by manipulating this parameter.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade com.liferay:com.liferay.change.tracking.web to version 2.0.120 or higher.

[,2.0.120)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the comment's add/edit endpoints. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into submitting malicious requests.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade com.liferay:com.liferay.change.tracking.web to version 2.0.121 or higher.

[2.0.9,2.0.121)

com.liferay:com.liferay.change.tracking.web@2.0.119 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically