The following issues may compromise the security of your Liferay Portal Enterprise Edition (EE) or Liferay Digital Experience Platform (DXP) implementation. This notification provides a description of the latest security vulnerabilities and recommended actions for Liferay Subscribers.

Affected Version/s

• Liferay Digital Experience Platform 7.2
• Liferay Digital Experience Platform 7.1
• Liferay Digital Experience Platform 7.0
• Liferay Portal 6.2 EE

Vulnerability Information

• LSV-636: 'portlet.resource.id.banned.paths.regexp' bypass with doubled encoded URLs
• LSV-697: DoS vulnerability with multipart/form-data requests

Download

The listed vulnerabilities are fixed under DXP Security Fix Pack: 202004. DXP Security Fix Packs require the latest released Fix Pack or can be built on a specific Fix Pack level upon request. Please read the DXP Security Fix Packs article for more information and installation instructions for DXP Security Fix Packs.

For more information on the vulnerabilities and affected versions for the issue, please visit the Help Center Security Advisories page.