-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 6.1 EE GA3 (6.1.30), 6.2 EE GA1 (6.2.10)
-
Component/s: Application Security > OpenID, Security Vulnerability
Portal use old version of openid4java.jar that is vulnerable to XXE attack. This flaw allows an attacker to read file system, connect to internal systems (SSRF) and perform DoS on portal.
See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-123