Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-4194

XSL Content portlet allows execution of code on server

    Details

      Description

      An security vulnerability exists with the XSL Content portlet that can potentially allow execution of code on the server.

      Specifically, the XML/XSL specification allows for potentially dangerous code to be executed. However, this can be a feature that is useful for some portals. So to address this issue, it is now possible to set permission in roles to determine who can add the XSL Content portlet to a page (LPE-4307).

      UPGRADE NOTES:

      By default, users with a My Community will no longer be able to add the XSL Content portlet to their My Community pages. If users need to be given permission to add an XSL Content portlet to their My Community, additional permissions must be granted to the users.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mark.jin Mark Jin (Inactive)
                Reporter:
                samuel.kong Samuel Kong
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  5.2 EE SP6 (5.2.10)
                  6.0 EE SP2 (6.0.12)