[LPE-15845] CSRF in whitelisted actions - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Completed
Affects Version/s: 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10)
Fix Version/s: 6.2.X EE, 7.0.X EE
Component/s: Collaboration > Blogs, Collaboration > Message Boards, Security Vulnerability
Labels:

Fix Pack Status:
Scheduled
7.0 Fix Pack Version:
45

Description

Description
CSRF vulnerabilities exists in the Blogs, Document and Media, Message Boards and Comments app when using Liferay DXP with the default configuration.

Upgrade Notes

/blogs/edit_entry,\
/blogs_aggregator/edit_entry,\
/document_library/edit_file_entry,\
/message_boards/edit_message,\
/portal/comment/edit_discussion,\

Removing the above paths from 'auth.token.ignore.actions' will prevent the following features from working:

Blog entry drafts and Wiki page drafts will no longer be automatically saved when the user's session expires
Unauthenticated users will no longer be able to add a message in the Message Boards or add comments in the various apps that support comments.

To keep using these features, the above paths must be re-added after applying the patch.

Attachments

Activity

People

Assignee:: Sam Ziemer

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 25/Apr/17 8:24 AM

Updated:: 10/May/19 2:05 AM

Resolved:: 14/Sep/18 2:22 PM

Packages

Version	Package
6.2.X EE
7.0.X EE