Foren
Liferay Portal PCE contains multiple cross-site scripting vulnerabilities
Shin Sameshima, geändert vor 9 Jahren.
Liferay Portal PCE contains multiple cross-site scripting vulnerabilities
New Member Beiträge: 11 Beitrittsdatum: 03.08.13 Neueste Beiträge
Hi, everybody.
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?
http://www.kb.cert.org/vuls/id/100972
Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:
/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------
Regards
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?
http://www.kb.cert.org/vuls/id/100972
Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:
/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------
Regards
Tomas Polesovsky, geändert vor 9 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi,
yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).
Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.
Thank you.
yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).
Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.
Thank you.
Shin Sameshima, geändert vor 9 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Beiträge: 11 Beitrittsdatum: 03.08.13 Neueste Beiträge
Hi,tomas
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".
Regards.
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".
Regards.
Tomas Polesovsky, geändert vor 9 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti (Antwort)
Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi Shin,
it's LPS-46156 but only Community Security Team members can see the details.
it's LPS-46156 but only Community Security Team members can see the details.
Shin Sameshima, geändert vor 9 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Beiträge: 11 Beitrittsdatum: 03.08.13 Neueste Beiträge
Hi,tomas.
I wait LPS-46156 which will be fixed.
Thank you .
I wait LPS-46156 which will be fixed.
Thank you .
raghu batchu, geändert vor 9 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Beiträge: 9 Beitrittsdatum: 23.08.09 Neueste Beiträge
Hi
If this is fixed please let me know the patch location for 6.0 and 6.1 EE.
Thanks
Raghu Batchu
If this is fixed please let me know the patch location for 6.0 and 6.1 EE.
Thanks
Raghu Batchu
gary b, geändert vor 8 Jahren.
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
Junior Member Beiträge: 81 Beitrittsdatum: 02.02.13 Neueste Beiträge
Hi,
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.
We need to prevent our site from cross site attack. Please let me know how to resolve this.
Thanks in Advance.
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.
We need to prevent our site from cross site attack. Please let me know how to resolve this.
Thanks in Advance.