Design/Logic Flaw

Liferay Portal Community Edition CE 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity aka XXE issue...

CVE-2011-1504

CVE-2011-1504 is an XSS vulnerability in Liferay Portal Community Edition (CE) 5.x and 6.x up to, but not including, 6.0.6 GA . It allows remote authenticated users to inject arbitrary web script or HTML via a blog title. The issue is remedied by upgrading to 6.0.6 GA (or later) where the fix is ...