Fórumok
Liferay Portal PCE contains multiple cross-site scripting vulnerabilities
Shin Sameshima, módosítva 9 év-val korábban
Liferay Portal PCE contains multiple cross-site scripting vulnerabilities
New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi, everybody.
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?
http://www.kb.cert.org/vuls/id/100972
Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:
/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------
Regards
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?
http://www.kb.cert.org/vuls/id/100972
Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:
/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------
Regards
Tomas Polesovsky, módosítva 9 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi,
yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).
Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.
Thank you.
yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).
Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.
Thank you.
Shin Sameshima, módosítva 9 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi,tomas
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".
Regards.
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".
Regards.
Tomas Polesovsky, módosítva 9 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti (Válasz)
Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi Shin,
it's LPS-46156 but only Community Security Team members can see the details.
it's LPS-46156 but only Community Security Team members can see the details.
Shin Sameshima, módosítva 9 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi,tomas.
I wait LPS-46156 which will be fixed.
Thank you .
I wait LPS-46156 which will be fixed.
Thank you .
raghu batchu, módosítva 9 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
New Member Bejegyzések: 9 Csatlakozás dátuma: 2009.08.23. Legújabb bejegyzések
Hi
If this is fixed please let me know the patch location for 6.0 and 6.1 EE.
Thanks
Raghu Batchu
If this is fixed please let me know the patch location for 6.0 and 6.1 EE.
Thanks
Raghu Batchu
gary b, módosítva 8 év-val korábban
RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti
Junior Member Bejegyzések: 81 Csatlakozás dátuma: 2013.02.02. Legújabb bejegyzések
Hi,
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.
We need to prevent our site from cross site attack. Please let me know how to resolve this.
Thanks in Advance.
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.
We need to prevent our site from cross site attack. Please let me know how to resolve this.
Thanks in Advance.