portal-web is vulnerable to Cross-site Scripting (XSS). The attack exists due to the lack of sanitization of the _20_body
parameter in comment field in an uploaded file, allowing an authenticated user to inject malicious script.
packetstormsecurity.com/files/129199/Liferay-Portal-6.2-EE-SP8-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2014/Nov/61
www.deloitte.com/ar
www.securitytracker.com/id/1031255
github.com/liferay/liferay-portal/commit/04618c820b0a0c03c9e4fcbb297b061b7b199dc2
github.com/liferay/liferay-portal/pull/112
issues.liferay.com/browse/LPE-12961
seclists.org/fulldisclosure/2014/Nov/61
twitter.com/Arl_rose?