Details

    • Business Value:
      5
    • 7.0 Fix Pack Version:
      55
    • 7.1 Fix Pack Version:
      1

      Description

      The default configuration for Liferay DXP 7.1 and Liferay Digital Enterprise 7.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content.

      Possible Mitigation Actions
      Choose the one which is most suitable for your installation.

      A.) Create a file called com.liferay.portal.template.xsl.configuration.XSLEngineConfiguration.config with content secureProcessingEnabled=true and place it into LIFERAY_HOME/osgi/configs
      B.) Navigate to Control Panel - System Settings - <Platform/Foundation> - Template Engines - XSL Engine and enable "Secure Processing Enabled"
      C.) Install a Fix Pack which includes the fix for this
      D.) Request a new Hotfix which includes the fix for this

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-397

        Attachments

          Activity

            People

            • Assignee:
              support-ee EE Support
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                7.0.X EE
                7.1.x EE