Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFernando CamaraPACKETSTORM:137279
HistoryJun 01, 2016 - 12:00 a.m.

Liferay CE Stored Cross Site Scripting

2016-06-0100:00:00
Fernando Camara
packetstormsecurity.com
48

0.088 Low

EPSS

Percentile

94.6%

JSON
`Fernando CΓ’mara @ Integrity S.A  
www.integrity.pt  
https://twitter.com/overflowy  
  
https://labs.integrity.pt/advisories/cve-2016-3670/  
  
---  
  
  
CVE-2016-3670 Stored Cross Site Scripting in Liferay CE  
  
1. Vulnerability Properties  
  
Title: Stored Cross-Site Scripting Liferay CE  
CVE ID: CVE-2016-3670  
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)  
Vendor: Liferay Inc  
Products: Liferay  
Advisory Release Date: 27 May 2016  
Advisory URL: https://labs.integrity.pt/advisories/cve-2016-3670  
Credits: Discovery by Fernando CΓ’mara <fbc[at]integrity.pt>  
  
2. Vulnerability Summary  
  
Liferay is vulnerable to a stored XSS when an user is created with an  
malicious payload on the FirstName field.  
The javascript payload is executed when another user tries to use the  
profile search section.  
3. Technical Details  
  
An XSS vulnerability was found on the Profile Search functionality,  
accessible through User -> My Profile -> Search. An attacker can set a  
malicious javascript payload on his First Name affecting anyone who  
performs a search using a keyword present on his profile.  
  
The exploitation of this vulnerability could lead to an effective way to  
grab cookies (stealing sessions) from anyone that uses that search  
component.  
  
Exploitation Request: (User Registration with an malicious FirstName field)  
  
POST /liferay/web/guest/home?p_p_id=58&p_p_lifecycle=1&p_p_state=  
maximized&p_p_mode=view&_58_struts_action=%2Flogin%2Fcreate_account  
  
Data:  
  
_58_firstName=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2  
  
The vulnerability is located on the users.jsp and as shown below the origin  
is the lack of validation of user input:  
  
line 64: <a data-value=”<%= curUserName %>” href=”javascript:;”>  
  
4. Vulnerable Versions  
  
< 6.2 CE GA6  
  
5. Solution  
  
Update to version 7.0.0 CE RC1  
  
6. Vulnerability Timeline  
  
21/Jan/16 - Bug reported to Liferay  
22/Mar/16 – Bug verified by vendor  
22/Mar/16 – Bug fixed by vendor  
27/May/16 – Advisory released  
  
  
7. References  
  
https://issues.liferay.com/browse/LPS-62387  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3670  
  
  
`

Related

zdt 1
exploitpack 1
cve 1
prion 1
cvelist 1
openvas 1
checkpoint_advisories 1
veracode 1
nvd 1
exploitdb 1
zdt
zdt
Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting
2016-06-02 00:00:00
exploitpack
exploitpack
Liferay CE 6.2 CE GA6 - Persistent Cross-Site Scripting
2016-06-02 00:00:00
cve
cve
CVE-2016-3670
2016-06-13 14:59:03
prion
prion
Cross site scripting
2016-06-13 14:59:00
cvelist
cvelist
CVE-2016-3670
2016-06-13 14:00:00
openvas
openvas
Liferay Stored XSS Vulnerability
2016-08-01 00:00:00
checkpoint_advisories
checkpoint_advisories
Liferay Portal User Account Stored Cross Site Scripting (CVE-2016-3670)
2016-06-22 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2020-06-02 06:08:23
nvd
nvd
CVE-2016-3670
2016-06-13 14:59:03
exploitdb
exploitdb
Liferay CE &lt; 6.2 CE GA6 - Persistent Cross-Site Scripting
2016-06-02 00:00:00

0.088 Low

EPSS

Percentile

94.6%

JSON
Related for PACKETSTORM:137279
zdt1exploitpack1cve1prion1cvelist1openvas1checkpoint_advisories1veracode1nvd1exploitdb1