com.liferay.portal.search.web is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject and execute arbitrary Javascript in a user’s browser via the curUserName
parameter.
packetstormsecurity.com/files/137279/Liferay-CE-Stored-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2016/Jun/5
www.securitytracker.com/id/1036083
github.com/liferay/liferay-portal/commit/b7ce087039f3b753f36f558df5faefac4ad4b160
issues.liferay.com/browse/LPS-62387
labs.integrity.pt/advisories/cve-2016-3670/
www.exploit-db.com/exploits/39880
www.exploit-db.com/exploits/39880/