CVE-2020-15840: Liferay Portal and Liferay DXP Bypass via Double Encoded URL

May 24, 2022 (updated May 28, 2025)

In Liferay Portal before 7.3.1, com.liferay.portal:com.liferay.portal.impl before 7.1.3 and 7.4.0, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property ‘portlet.resource.id.banned.paths.regexp’ can be bypassed with doubled encoded URLs.

References

github.com/advisories/GHSA-vrwx-q9pj-x488
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17046
nvd.nist.gov/vuln/detail/CVE-2020-15840
portal.liferay.dev/learn/security/known-vulnerabilities
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119772204
security.snyk.io/vuln/SNYK-JAVA-COMLIFERAYPORTAL-1296538

Code Behaviors & Features

Detect and mitigate CVE-2020-15840 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →