CVE-2020-13444: Liferay Portal and Liferay DXP Fails to Sanitize API Data

May 24, 2022 (updated May 14, 2025)

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 19, and 7.2 before fix pack 7, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

References

github.com/advisories/GHSA-8j5r-9687-88w5
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17009
nvd.nist.gov/vuln/detail/CVE-2020-13444
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119317396

Code Behaviors & Features

Detect and mitigate CVE-2020-13444 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →