Liferay Community Security Team - Notifications for new vulnerabilitiesLiferay Community Security Team - Notifications for new vulnerabilitiesCST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1James Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232693752013-04-02T19:48:25Z2013-04-02T19:48:25ZJames Falkner2013-04-02T19:48:25ZCST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPSJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232677222013-04-02T19:08:46Z2013-04-02T19:08:46ZJames Falkner2013-04-02T19:08:46ZCST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission checkJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232676392013-04-02T19:04:21Z2013-04-02T19:04:21ZJames Falkner2013-04-02T19:04:21ZCST-SA: LPS-31063 XSS vulnerability with swfuploaderJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232675922013-04-02T19:00:35Z2013-04-02T19:00:35ZJames Falkner2013-04-02T19:00:35ZCST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS)James Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232675052013-04-02T18:54:26Z2013-04-02T18:54:26ZJames Falkner2013-04-02T18:54:26ZCST-SA: LPS-29872 Organization admin of sub organization can export users of parent organizationJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232674292013-04-02T18:50:18Z2013-04-02T18:50:18ZJames Falkner2013-04-02T18:50:18ZCST-SA: LPS-29341 Posting messages in foreign Message BoardsJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232662492013-04-02T18:41:04Z2013-04-02T18:41:04ZJames Falkner2013-04-02T18:41:04ZCST-SA: LPS-29268 Simple DOS attack on PortletPreferencesJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/232657892013-04-02T18:12:34Z2013-04-02T18:12:34ZJames Falkner2013-04-02T18:12:34ZCST-SA: LPS-30437 Users without permission can create folders/files in the root folderJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/179826212012-11-16T17:40:15Z2012-11-16T17:40:15ZJames Falkner2012-11-16T17:40:15ZCST-SA: LPS-28550 Able to view any journal structure/template's sourceJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/179824542012-11-16T17:35:03Z2012-11-16T17:27:55ZJames Falkner2012-11-16T17:27:55ZCST-SA: LPS-30796 Delete any file on the server (Knowledge Base)James Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/179823782012-11-16T17:22:07Z2012-11-16T17:22:07ZJames Falkner2012-11-16T17:22:07ZCST-SA: LPS-30093 Organization administrators can change an omni-admin's passwordJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/173932102012-10-23T16:27:53Z2012-10-23T16:27:53ZJames Falkner2012-10-23T16:27:53ZCST-SA: LPS-29338 XSS in group membership requestsJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/173931432012-10-23T16:24:22Z2012-10-23T16:24:22ZJames Falkner2012-10-23T16:24:22ZCST-SA: LPS-29148 Private announcements can be viewed through announcement editJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/173930652012-10-23T16:19:12Z2012-10-23T16:19:12ZJames Falkner2012-10-23T16:19:12ZCST-SA: LPS-29061 test@liferay.com created by setupwizard even when different user specifiedJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/173929382012-10-23T16:13:08Z2012-10-23T16:13:08ZJames Falkner2012-10-23T16:13:08ZCST-SA: LPS-30586 Able to delete any user by created URLJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/173927882012-10-23T16:04:49Z2012-10-23T16:04:49ZJames Falkner2012-10-23T16:04:49ZCST-SA: LPS-28934 Delete any file on the server (Wiki)James Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/151751762012-10-23T15:44:15Z2012-07-31T20:43:12ZJames Falkner2012-07-31T20:43:12ZCST-SA: LPS-28836 Directory traversal with document conversionJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/150452372012-10-23T15:44:53Z2012-07-26T14:09:39ZJames Falkner2012-07-26T14:09:39ZCST-SA: LPS-28423 Delete any file on the serverJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/147740062012-10-23T15:49:03Z2012-07-09T21:31:45ZJames Falkner2012-07-09T21:31:45ZCST-SA: LPS-26930 Reconfigure Liferay to use a remote cacheJames Falknerhttp://www.liferay.com/de/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/147739542012-10-23T15:48:44Z2012-07-09T21:23:55ZJames Falkner2012-07-09T21:23:55Z