Vulnerability Description
Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Liferay Portal | <= 6.2.5 |
Related Weaknesses (CWE)
References
- https://cxsecurity.com/issue/WLB-2018050029ExploitThird Party Advisory
- https://cxsecurity.com/issue/WLB-2018050029ExploitThird Party Advisory
FAQ
What is CVE-2018-10795?
CVE-2018-10795 is a vulnerability with a CVSS score of 8.8 (HIGH). Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via ...
How severe is CVE-2018-10795?
CVE-2018-10795 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-10795?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Liferay Portal.