CVE-2020-15840 | Vulnerability Database | Aqua Security

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property portlet.resource.id.banned.paths.regexp can be bypassed with doubled encoded URLs.

Affected Software

Name	Vendor	Start Version	End Version
Digital_experience_platform	Liferay	7.0 (including)	7.0 (including)
Digital_experience_platform	Liferay	7.1 (including)	7.1 (including)
Digital_experience_platform	Liferay	7.2 (including)	7.2 (including)
Liferay_portal	Liferay	*	7.3.1 (excluding)
Liferay_portal	Liferay	6.2 (including)	6.2 (including)

References

https://issues.liferay.com/browse/LPE-17046
https://portal.liferay.dev/learn/security/known-vulnerabilities
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204
https://issues.liferay.com/browse/LPE-17046
https://portal.liferay.dev/learn/security/known-vulnerabilities
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-15840
CWE	https://cwe.mitre.org/data/definitions/.html