Description
SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.
Remediation
References
Related Vulnerabilities
WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-3546)
WordPress Plugin Fast Velocity Minify Information Disclosure (2.7.6)
Atlassian Jira Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-20897)