-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 5.1 EE SP1 (5.1.4)
-
Fix Version/s: 5.1 EE SP2 (5.1.5)
-
Component/s: Application Security, Themes
-
Labels:None
-
Environment:All
A cross site scripting (XSS) vulnerability exist with the $portlet_id variable in themes.
To patch a theme, replace the following line in portlet.vm
#set ($portlet_id = $portlet_display.getId())
with
#set ($portlet_id = $htmlUtil.escape($portlet_display.getId()))
- is related to
-
LPS-2398 XSS vulnerability in themes
- Closed