Details

    • 5
    • 55
    • 1

    Description

      The default configuration for Liferay DXP 7.1 and Liferay Digital Enterprise 7.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content.

      Possible Mitigation Actions
      Choose the one which is most suitable for your installation.

      A.) Create a file called com.liferay.portal.template.xsl.configuration.XSLEngineConfiguration.config with content secureProcessingEnabled=true and place it into LIFERAY_HOME/osgi/configs
      B.) Navigate to Control Panel - System Settings - <Platform/Foundation> - Template Engines - XSL Engine and enable "Secure Processing Enabled"
      C.) Install a Fix Pack which includes the fix for this
      D.) Request a new Hotfix which includes the fix for this

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-397

      Attachments

        Activity

          People

            support-ee EE Support
            tibor.lipusz Tibor Lipusz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                7.0.X EE
                7.1.x EE