[LPE-1135] Malicious JavaScript can be inserted into the Enterprise Admin portlet - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.1 EE SP2 (5.1.5)
Fix Version/s: 5.1 EE SP3 (5.1.6)
Component/s: Legacy > Enterprise Admin
Labels:
None
Environment:
All

Description

A cross site scripting (XSS) vulnerability exist with the name and job title field in the Enterprise Admin portlet. An attacker can potentially exploit this security vulnerability to insert malicious JavaScript into a page.

To address this issue, names and job titles are now escaped before they are displayed on a page.

Attachments

Issue Links

is related to

LPS-4026 First Name, Last Name and Job Title Not Escaping HTML In The Enterprise Admin Portlet

Closed

Activity

People

Assignee:: Wesley Gong

Reporter:: Wesley Gong

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 07/Jul/09 5:08 PM

Updated:: 09/Dec/16 12:44 PM

Resolved:: 09/Jul/09 9:22 PM

Packages

Version	Package
5.1 EE SP3 (5.1.6)