掲示板

  1. ホーム
  2. Development
  3. Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

thumbnail
9年前 に Shin Sameshima によって更新されました。

Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

New Member 投稿: 11 参加年月日: 13/08/03 最新の投稿
Hi, everybody.
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?

http://www.kb.cert.org/vuls/id/100972

Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:

/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------

Regards
thumbnail
9年前 に Tomas Polesovsky によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿
Hi,

yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).

Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.

Thank you.
thumbnail
9年前 に Shin Sameshima によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member 投稿: 11 参加年月日: 13/08/03 最新の投稿
Hi,tomas
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".

Regards.
thumbnail
9年前 に Tomas Polesovsky によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti (回答)

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿
Hi Shin,

it's LPS-46156 but only Community Security Team members can see the details.
thumbnail
9年前 に Shin Sameshima によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member 投稿: 11 参加年月日: 13/08/03 最新の投稿
Hi,tomas.
I wait LPS-46156 which will be fixed.
Thank you .
9年前 に raghu batchu によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member 投稿: 9 参加年月日: 09/08/23 最新の投稿
Hi

If this is fixed please let me know the patch location for 6.0 and 6.1 EE.

Thanks
Raghu Batchu
8年前 に gary b によって更新されました。

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

Junior Member 投稿: 81 参加年月日: 13/02/02 最新の投稿
Hi,

We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.

We need to prevent our site from cross site attack. Please let me know how to resolve this.

Thanks in Advance.