[LPE-960] Phishing + XSS vulnerability with "Return to Full Page" link - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.1 EE SP2 (5.1.5), 5.2 CE (5.2.3)
Fix Version/s: 5.1 EE SP3 (5.1.6), 5.2 EE (5.2.4)
Component/s: Application Security, Themes
Labels:
None
Environment:
All

Description

An XSS vulnerability exist with the "Return to Full Page" if it's combined with a phishing attack.

To patch a theme, replace the following line in portlet.vm

#set ($portlet_back_url = $portlet_display.getURLBack())

with

#set ($portlet_back_url = $htmlUtil.escape($portlet_display.getURLBack()))

Attachments

Issue Links

is related to

LPS-3462 Phishing + XSS vulnerability with "Return to Full Page" link

Closed

Activity

People

Assignee:: EE Support

Reporter:: Samuel Kong

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 22/May/09 2:50 PM

Updated:: 09/Dec/16 12:43 PM

Resolved:: 26/May/09 11:10 AM

Packages

Version	Package
5.1 EE SP3 (5.1.6)
5.2 EE (5.2.4)