com.liferay.portal:com.liferay.portal.kernel 3.89.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.liferay.portal:com.liferay.portal.kernel package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `referer` and `FORWARD_URL` parameters. An attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious payloads using encoded characters and a null-byte (%00) in these parameters. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 155.0.0 or higher.	[,155.0.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `PortalUtil.escapeRedirect` function. An authenticated attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious input into the affected process. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 157.0.0 or higher.	[,157.0.0)
M Timing Attack Affected versions of this package are vulnerable to Timing Attack via the password encryptor during the login process. An attacker can determine the existence of user accounts by analyzing differences in server response times to crafted authentication requests. How to fix Timing Attack? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 157.0.0 or higher.	[,157.0.0)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure via the `calendar` implementation. An attacker can obtain access to other users' calendars and their names by sending crafted requests, which may enable further targeted attacks such as phishing. How to fix Information Exposure? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 160.0.0 or higher.	[,160.0.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the message boards feature available through the web interface. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious scripts into messages. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `SessionClicks` class. An attacker can exhaust system memory by sending crafted HTTP requests that cause excessive request parameters to be stored in the HTTP session. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 38.0.0 or higher.	[,38.0.0)
M Observable Discrepancy Affected versions of this package are vulnerable to Observable Discrepancy due to the handling of different responses based on site existence or user permissions. An attacker can discover the existence of sites by enumerating URLs. Note: This is only exploitable if `locale.prepend.friendly.url.style=2` and if a custom 404 page is used. How to fix Observable Discrepancy? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 12.0.0 or higher.	[,12.0.0)
L Access Control Bypass Affected versions of this package are vulnerable to Access Control Bypass due to unauthorized access to object definition via search. The Object module does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition. How to fix Access Control Bypass? Upgrade `com.liferay.portal:com.liferay.portal.kernel` to version 94.0.0 or higher.	[,94.0.0)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the referer and FORWARD_URL parameters. An attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious payloads using encoded characters and a null-byte (%00) in these parameters.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 155.0.0 or higher.

[,155.0.0)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the PortalUtil.escapeRedirect function. An authenticated attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious input into the affected process.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 157.0.0 or higher.

[,157.0.0)

Timing Attack

Affected versions of this package are vulnerable to Timing Attack via the password encryptor during the login process. An attacker can determine the existence of user accounts by analyzing differences in server response times to crafted authentication requests.

How to fix Timing Attack?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 157.0.0 or higher.

[,157.0.0)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure via the calendar implementation. An attacker can obtain access to other users' calendars and their names by sending crafted requests, which may enable further targeted attacks such as phishing.

How to fix Information Exposure?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 160.0.0 or higher.

[,160.0.0)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the message boards feature available through the web interface. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious scripts into messages.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the SessionClicks class. An attacker can exhaust system memory by sending crafted HTTP requests that cause excessive request parameters to be stored in the HTTP session.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 38.0.0 or higher.

[,38.0.0)

Observable Discrepancy

Affected versions of this package are vulnerable to Observable Discrepancy due to the handling of different responses based on site existence or user permissions. An attacker can discover the existence of sites by enumerating URLs.

Note:

This is only exploitable if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

How to fix Observable Discrepancy?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 12.0.0 or higher.

[,12.0.0)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass due to unauthorized access to object definition via search. The Object module does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

How to fix Access Control Bypass?

Upgrade com.liferay.portal:com.liferay.portal.kernel to version 94.0.0 or higher.

[,94.0.0)

com.liferay.portal:com.liferay.portal.kernel@3.89.3 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?