Published on: May 27, 2020

The following issues may compromise the security of your Liferay Digital Experience Platform implementation. This notification provides a description of the latest security vulnerabilities and recommended actions for Liferay Subscribers.

Affected Version/s

• Liferay Digital Experience Platform 7.2
• Liferay Digital Experience Platform 7.1
• Liferay Digital Experience Platform 7.0

Vulnerability Information

• LSV-658: Remote code execution (RCE) with FreeMarker/Velocity templates
• LSV-675: DDMDataProvider API leaks REST data provider password

Download

The listed vulnerabilities will be fixed under DXP Security Fix Pack: 202003. DXP Security Fix Packs require the latest released Fix Pack or can be built on a specific Fix Pack level upon request. Please read the DXP Security Fix Packs article for more information and installation instructions.

For more information on the vulnerability and affected versions for the issue, please visit the Help Center Security Advisories page.