First published: Tue Sep 22 2020(Updated: )
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by uploading large files.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.1 | |
Liferay Digital Experience Platform | =7.1-fix_pack_1 | |
Liferay Digital Experience Platform | =7.1-fix_pack_10 | |
Liferay Digital Experience Platform | =7.1-fix_pack_11 | |
Liferay Digital Experience Platform | =7.1-fix_pack_12 | |
Liferay Digital Experience Platform | =7.1-fix_pack_13 | |
Liferay Digital Experience Platform | =7.1-fix_pack_14 | |
Liferay Digital Experience Platform | =7.1-fix_pack_15 | |
Liferay Digital Experience Platform | =7.1-fix_pack_16 | |
Liferay Digital Experience Platform | =7.1-fix_pack_17 | |
Liferay Digital Experience Platform | =7.1-fix_pack_2 | |
Liferay Digital Experience Platform | =7.1-fix_pack_3 | |
Liferay Digital Experience Platform | =7.1-fix_pack_4 | |
Liferay Digital Experience Platform | =7.1-fix_pack_5 | |
Liferay Digital Experience Platform | =7.1-fix_pack_6 | |
Liferay Digital Experience Platform | =7.1-fix_pack_7 | |
Liferay Digital Experience Platform | =7.1-fix_pack_8 | |
Liferay Digital Experience Platform | =7.1-fix_pack_9 | |
Liferay Digital Experience Platform | =7.1-sp1 | |
Liferay Digital Experience Platform | =7.2 | |
Liferay Digital Experience Platform | =7.2-fix_pack_1 | |
Liferay Digital Experience Platform | =7.2-fix_pack_2 | |
Liferay Digital Experience Platform | =7.2-fix_pack_3 | |
Liferay Digital Experience Platform | =7.2-fix_pack_4 | |
Liferay Digital Experience Platform | =7.2-fix_pack_5 | |
Liferay Liferay Portal | <7.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-15839.
The severity level of CVE-2020-15839 is medium (6.5).
Liferay Portal before 7.3.3, Liferay DXP 7.1 before fix pack 18, and Liferay DXP 7.2 before fix pack 6 are affected by CVE-2020-15839.
Remote authenticated users can exploit CVE-2020-15839 by conducting denial-of-service attacks through uploading large files in a multipart/form-data POST action.
You can find more information about CVE-2020-15839 in the following references: [Reference 1](https://issues.liferay.com/browse/LPE-17029), [Reference 2](https://issues.liferay.com/browse/LPE-17055), [Reference 3](https://portal.liferay.dev/learn/security/known-vulnerabilities).