[LPE-15297] Reflected XSS in page admin - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.2 EE GA1 (6.2.10)
Fix Version/s: 6.2.X EE
Component/s: WCM > Sites Management > Site Administration
Labels:
- 62-ee-sp16
- liferay-fixpack-portal-116-6210

Description

In /html/portlet/layouts_admin/add_layout.jsp the randomNamespace parameter is taken from the request parameter and used in the call to Liferay.Dockbar.AddPage without being escaped. While this jsp cannot be called directly from the UI, this XSS vulnerability could potentially allow a malicious script to be run.

Attachments

Activity

People

Assignee:

Gregory Bretall (Inactive)

Reporter:

Enterprise Release HU

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

24/Aug/16 3:31 PM

Updated:

23/Nov/16 5:37 PM

Resolved:

09/Sep/16 9:07 AM

Packages

Version	Package
6.2.X EE