Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability

2014-11-21T00:00:00
ID 1337DAY-ID-22910
Type zdt
Reporter Ariel Walter Garcia
Modified 2014-11-21T00:00:00

Description

Liferay Portal versions 6.2 EE SP8 and below suffer from a cross site scripting vulnerability.

                                        
                                            - Vendor Status: CONFIRMED

- Vendor Disclosure Date: October 17th 2014

- Public Disclosure Date: November 14th 2014

- Affected Vendor: LIFERAY - http://www.liferay.com/

- Affected System: Liferay Portal 6.2 EE SP8 and older versions

- Vulnerability Status: Fixed


Associated CWE:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html

******************************************************************************

CVE-2014-8349:

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the "_20_body" parameter in the comment field of an uploaded file.

The Javascript injection will later exploit when clicking on "View" from under the "My Workflow Tasks" option within the "My Account" menu, when logged in with an administrator account, and looking for the approval of comments.


- Available fix:

  Patch: LPE-12961

#  0day.today [2018-01-09]  #