-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Completed
-
Affects Version/s: 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10)
-
Fix Pack Status:Scheduled
-
7.0 Fix Pack Version:45
Description
CSRF vulnerabilities exists in the Blogs, Document and Media, Message Boards and Comments app when using Liferay DXP with the default configuration.
Upgrade Notes
/blogs/edit_entry,\ /blogs_aggregator/edit_entry,\ /document_library/edit_file_entry,\ /message_boards/edit_message,\ /portal/comment/edit_discussion,\
Removing the above paths from 'auth.token.ignore.actions' will prevent the following features from working:
- Blog entry drafts and Wiki page drafts will no longer be automatically saved when the user's session expires
- Unauthenticated users will no longer be able to add a message in the Message Boards or add comments in the various apps that support comments.
To keep using these features, the above paths must be re-added after applying the patch.