Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability
2014-11-21T00:00:00
ID 1337DAY-ID-22910 Type zdt Reporter Ariel Walter Garcia Modified 2014-11-21T00:00:00
Description
Liferay Portal versions 6.2 EE SP8 and below suffer from a cross site scripting vulnerability.
- Vendor Status: CONFIRMED
- Vendor Disclosure Date: October 17th 2014
- Public Disclosure Date: November 14th 2014
- Affected Vendor: LIFERAY - http://www.liferay.com/
- Affected System: Liferay Portal 6.2 EE SP8 and older versions
- Vulnerability Status: Fixed
Associated CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html
******************************************************************************
CVE-2014-8349:
Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the "_20_body" parameter in the comment field of an uploaded file.
The Javascript injection will later exploit when clicking on "View" from under the "My Workflow Tasks" option within the "My Account" menu, when logged in with an administrator account, and looking for the approval of comments.
- Available fix:
Patch: LPE-12961
# 0day.today [2018-01-09] #
{"published": "2014-11-21T00:00:00", "id": "1337DAY-ID-22910", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T04:28:58", "bulletin": {"published": "2014-11-21T00:00:00", "id": "1337DAY-ID-22910", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [], "enchantments": {"score": {"value": 3.5, "modified": "2016-04-19T04:28:58"}}, "hash": "86bd63c82de15e429ffed0e44150ee18df29b5cba5bfeba5d8a1b26956ec35ce", "description": "Liferay Portal versions 6.2 EE SP8 and below suffer from a cross site scripting vulnerability.", "type": "zdt", "lastseen": "2016-04-19T04:28:58", "edition": 1, "title": "Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability", "href": "http://0day.today/exploit/description/22910", "modified": "2014-11-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 7, "cvelist": ["CVE-2014-8349"], "sourceHref": "http://0day.today/exploit/22910", "references": [], "reporter": "Ariel Walter Garcia", "sourceData": "- Vendor Status: CONFIRMED\r\n\r\n- Vendor Disclosure Date: October 17th 2014\r\n\r\n- Public Disclosure Date: November 14th 2014\r\n\r\n- Affected Vendor: LIFERAY - http://www.liferay.com/\r\n\r\n- Affected System: Liferay Portal 6.2 EE SP8 and older versions\r\n\r\n- Vulnerability Status: Fixed\r\n\r\n\r\nAssociated CWE:\r\n\r\nCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html\r\n\r\n******************************************************************************\r\n\r\nCVE-2014-8349:\r\n\r\nCross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the \"_20_body\" parameter in the comment field of an uploaded file.\r\n\r\nThe Javascript injection will later exploit when clicking on \"View\" from under the \"My Workflow Tasks\" option within the \"My Account\" menu, when logged in with an administrator account, and looking for the approval of comments.\r\n\r\n\r\n- Available fix:\r\n\r\n Patch: LPE-12961\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "c90883e2fad427222772b0ed7d5d7a49", "key": "published"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c90883e2fad427222772b0ed7d5d7a49", "key": "modified"}, {"hash": "d16a1892885a4cedfc7b1d4344ffb50d", "key": "cvss"}, {"hash": "c53e4eba654def40efc0069dc6b74ab7", "key": "description"}, {"hash": "40e719172b14cfcb7cabfeeadbc9a0dd", "key": "reporter"}, {"hash": "04cc52300b27e6711f547b784b1d5a8c", "key": "sourceData"}, {"hash": "8c56d6dddb67079bdeb69c2f12a95b9f", "key": "sourceHref"}, {"hash": "7a93e987c4ccaf9110399b71fd2bb381", "key": "href"}, {"hash": "e45462fca3a3a364933368f8effd7cf6", "key": "title"}, {"hash": "719b3721775d7d16073681db2829d2c7", "key": "cvelist"}], "objectVersion": "1.0"}}], "description": "Liferay Portal versions 6.2 EE SP8 and below suffer from a cross site scripting vulnerability.", "hash": "b350c423c0e1562d7bafce7f80edd62d2460e449d4f929ca1c3b88970a294037", "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8349"]}], "modified": "2018-01-09T13:05:25"}, "vulnersScore": 4.3}, "type": "zdt", "lastseen": "2018-01-09T13:05:25", "edition": 2, "title": "Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability", "href": "https://0day.today/exploit/description/22910", "modified": "2014-11-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 18, "cvelist": ["CVE-2014-8349"], "sourceHref": "https://0day.today/exploit/22910", "references": [], "reporter": "Ariel Walter Garcia", "sourceData": "- Vendor Status: CONFIRMED\r\n\r\n- Vendor Disclosure Date: October 17th 2014\r\n\r\n- Public Disclosure Date: November 14th 2014\r\n\r\n- Affected Vendor: LIFERAY - http://www.liferay.com/\r\n\r\n- Affected System: Liferay Portal 6.2 EE SP8 and older versions\r\n\r\n- Vulnerability Status: Fixed\r\n\r\n\r\nAssociated CWE:\r\n\r\nCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html\r\n\r\n******************************************************************************\r\n\r\nCVE-2014-8349:\r\n\r\nCross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the \"_20_body\" parameter in the comment field of an uploaded file.\r\n\r\nThe Javascript injection will later exploit when clicking on \"View\" from under the \"My Workflow Tasks\" option within the \"My Account\" menu, when logged in with an administrator account, and looking for the approval of comments.\r\n\r\n\r\n- Available fix:\r\n\r\n Patch: LPE-12961\n\n# 0day.today [2018-01-09] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "719b3721775d7d16073681db2829d2c7", "key": "cvelist"}, {"hash": "d16a1892885a4cedfc7b1d4344ffb50d", "key": "cvss"}, {"hash": "c53e4eba654def40efc0069dc6b74ab7", "key": "description"}, {"hash": "9578d198844d804bff569fc83d0d556a", "key": "href"}, {"hash": "c90883e2fad427222772b0ed7d5d7a49", "key": "modified"}, {"hash": "c90883e2fad427222772b0ed7d5d7a49", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "40e719172b14cfcb7cabfeeadbc9a0dd", "key": "reporter"}, {"hash": "f7b7ff3bc07becb60aae8ef38f571fb3", "key": "sourceData"}, {"hash": "5a57053e3ee0159d7a85f7ab1ada5fe5", "key": "sourceHref"}, {"hash": "e45462fca3a3a364933368f8effd7cf6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"cve": [{"lastseen": "2016-09-03T21:27:47", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.", "modified": "2015-08-06T12:39:43", "published": "2014-11-24T11:59:03", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8349", "id": "CVE-2014-8349", "title": "CVE-2014-8349", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}]}
