Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-15645

Stored XSS and content spoofing vulnerability in SWFUpload

Details

    Description

      Stored XSS and content spoofing vulnerability in SWFUpload.

      Removed the swfupload and video_player Utilities

      What changed?

      The utilities swfupload and video_player have been removed.

      Who is affected?

      This affects anyone who is using the swfupload AlloyUI module or any of the associated swfupload_f*.swf and mpw_player.swf flash movies.
      How should I update my code?

      There are better, more standard ways to achieve upload currently. For instance, you can use A.Uploader to manage your uploads consistently across browsers.

      For audio/video reproduction, you should update your code to use A.Audio and A.Video.

      Why was this change made?

      This change removes outdated code no longer being used in the platform. In addition, this change avoids future security issues from outdated flash movies.

      Attachments

        Activity

          People

            support-ee EE Support
            tibor.lipusz Tibor Lipusz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                6.2.X EE