CVE-2018-10795

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-10795

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10795.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-10795

Published

2018-05-07T13:29:00.220Z

Modified

2026-03-14T09:45:06.016978Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files

References

https://cxsecurity.com/issue/WLB-2018050029

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type

GIT

Repo

https://github.com/liferay/liferay-portal

Events

Introduced

Last affected

65d7a800f1a57b232a127bdcaefb876a9de469f9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.2.5"
        }
    ]
}

Affected versions

6.*

6.1.0-b1

6.1.0-b2

6.1.0-b3

6.1.0-b4

6.1.0-rc1

6.2.0-b1

6.2.0-b2

6.2.0-ga1

6.2.0-m2

6.2.0-m3

6.2.0-m4

6.2.0-m5

6.2.0-m6

6.2.0-rc1

6.2.0-rc2

6.2.0-rc3

6.2.0-rc4

6.2.0-rc5

6.2.0-rc6

6.2.1-ga2

6.2.2-ga3

6.2.3-ga4

6.2.4-ga5

6.2.5-ga6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10795.json"