com.liferay.portal:com.liferay.portal.impl@6.0.0 vulnerabilities

  • latest version

    109.0.0

  • latest non vulnerable version

  • first published

    8 years ago

  • latest version published

    18 days ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the com.liferay.portal:com.liferay.portal.impl package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Cross-site Scripting (XSS)

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HtmlUtil.escapeJsLink function. An attacker can inject arbitrary web script or HTML by crafting javascript: style links.

    How to fix Cross-site Scripting (XSS)?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 7.8.0 or higher.

    [,7.8.0)
    • M
    Observable Discrepancy

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Observable Discrepancy due to the handling of different responses based on site existence or user permissions. An attacker can discover the existence of sites by enumerating URLs.

    Note:

    This is only exploitable if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

    How to fix Observable Discrepancy?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 7.8.0 or higher.

    [,7.8.0)
    • M
    Arbitrary File Write via Archive Extraction (Zip Slip)

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in FileUtil.unzip, which allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.

    How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 47.1.0 or higher.

    [,47.1.0)
    • M
    Open Redirect

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Open Redirect via the HtmlUtil.escapeRedirect, by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the 'redirectparameter, theFORWARD_URLparameter, and others parameters that rely onHtmlUtil.escapeRedirect`.

    How to fix Open Redirect?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 7.9.0 or higher.

    [,7.9.0)
    • M
    Access Restriction Bypass

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Access Restriction Bypass by not properly checking user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

    How to fix Access Restriction Bypass?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 6.05 or higher.

    [,6.05)
    • M
    Arbitrary File Access

    com.liferay.portal:com.liferay.portal.impl is a package part of Liferay.

    Affected versions of this package are vulnerable to Arbitrary File Access. The property portlet.resource.id.banned.paths.regexp can be bypassed with doubled encoded URLs, which allows remote attackers to access restricted portlet resources (e.g., files within /META-INF and /WEB-IN).

    How to fix Arbitrary File Access?

    Upgrade com.liferay.portal:com.liferay.portal.impl to version 7.4.0, 7.1.3 or higher.

    [7.2.0,7.4.0)[0,7.1.3)