Details

    • Fix Pack Status:
      Scheduled
    • 7.0 Fix Pack Version:
      45

      Description

      Description
      CSRF vulnerabilities exists in the Blogs, Document and Media, Message Boards and Comments app when using Liferay DXP with the default configuration.

      Upgrade Notes

      /blogs/edit_entry,\
      /blogs_aggregator/edit_entry,\
      /document_library/edit_file_entry,\
      /message_boards/edit_message,\
      /portal/comment/edit_discussion,\ 

      Removing the above paths from 'auth.token.ignore.actions' will prevent the following features from working:

      • Blog entry drafts and Wiki page drafts will no longer be automatically saved when the user's session expires
      • Unauthenticated users will no longer be able to add a message in the Message Boards or add comments in the various apps that support comments.

      To keep using these features, the above paths must be re-added after applying the patch.

        Attachments

          Activity

            People

            • Assignee:
              samuel.ziemer Sam Ziemer
              Reporter:
              EnterpriseReleaseHU Enterprise Release HU
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.2.X EE
                7.0.X EE