Vulnerabilities

 2 via 2 paths

Dependencies

 5

Source

 GitHub

Commit

 967cbf14

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 4
Severity
  • 6
Status
  • 6
  • 0
  • 0

medium severity
new

Arbitrary File Upload

  • Vulnerable module: com.liferay.portal:portal-service
  • Introduced through: com.liferay.portal:portal-service@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:portal-service@6.2.1
    Remediation: Upgrade to com.liferay.portal:portal-service@6.2.5.

Overview

com.liferay.portal:portal-service is a portal service package for Liferay.

Affected versions of this package are vulnerable to Arbitrary File Upload which allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists.

Workaround

Use the portal.property dl.file.extensions to exclude PDFs from the list of acceptable files that can be uploaded to the document library.

Remediation

Upgrade com.liferay.portal:portal-service to version 6.2.5 or higher.

References

Arbitrary File Upload vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: com.liferay.portal:util-taglib
  • Introduced through: com.liferay.portal:util-taglib@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:util-taglib@6.2.1

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the maxFileSize parameter. An authenticated attacker can upload arbitrarily large files to the system's temp folder by modifying this parameter.

Remediation

Upgrade com.liferay.portal:util-taglib to version 8.4.6 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

LGPL-2.0 license

  • Module: com.liferay.portal:portal-service
  • Introduced through: com.liferay.portal:portal-service@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:portal-service@6.2.1

LGPL-2.0 license

LGPL-2.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: com.liferay.portal:util-bridges
  • Introduced through: com.liferay.portal:util-bridges@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:util-bridges@6.2.1

LGPL-2.0 license

LGPL-2.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: com.liferay.portal:util-java
  • Introduced through: com.liferay.portal:util-java@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:util-java@6.2.1

LGPL-2.0 license

LGPL-2.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: com.liferay.portal:util-taglib
  • Introduced through: com.liferay.portal:util-taglib@6.2.1

Detailed paths

  • Introduced through: davidepastore/liferay-journal-article-converter@davidepastore/liferay-journal-article-converter#967cbf141fa576ba8313c33adc3d06107f234e19 com.liferay.portal:util-taglib@6.2.1

LGPL-2.0 license

LGPL-2.0 license vulnerability report