com.liferay.portal:portal-impl@5.2.3 vulnerabilities

com.liferay.portal:portal-impl is a Portal Impl

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor due to the lack of obfuscation for password reminder answers on the page.

Upgrade com.liferay.portal:portal-impl to version 5.18.4 or higher.

com.liferay.portal:portal-impl is a Portal Impl

Affected versions of this package are vulnerable to OS Command Injection via a crafted Velocity template. An attacker can execute arbitrary shell commands by sending a malicious request to the server.

Upgrade com.liferay.portal:portal-impl to version 6.1.1 or higher.

com.liferay.portal:portal-impl is a Portal Impl

Affected versions of this package are vulnerable to Arbitrary File Upload which allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists.

A fix was pushed into the master branch but not yet published.

com.liferay.portal:portal-impl is a Portal Impl

Affected versions of this package are vulnerable to Information Exposure in the JSON web services. It may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused attacks via crafted inputs.

Upgrade com.liferay.portal:portal-impl to version 5.18.3 or higher.

com.liferay.portal:portal-impl is a Portal Impl

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Deserialization of Untrusted Data in Liferay Portal allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

There is no fixed version for com.liferay.portal:portal-impl.