Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16490

XSS vulnerability with default sanitizer

    XMLWordPrintable

    Details

    • 7.0 Fix Pack Version:
      58
    • 7.1 Fix Pack Version:
      1

      Description

      The default sanitizer in Liferay DXP 7.1 and DXP 7.0 is OWASP AntiSamy. Multiple vulnerabilities exist in AntiSamy which allows input to bypass AntiSamy's XSS protection.

      https://nvd.nist.gov/vuln/detail/CVE-2016-10006
      https://nvd.nist.gov/vuln/detail/CVE-2017-14735

        Attachments

          Issue Links

          Testing discovered

          Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPE-16509 XSS vulnerability with default sanitizer (Additional changes)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              Assignee:
              support-ee EE Support
              Reporter:
              EnterpriseReleaseHU Enterprise Release HU
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  7.0.X EE
                  7.1.x EE