-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 5.1 EE SP2 (5.1.5), 5.2 CE (5.2.3)
-
Fix Version/s: 5.1 EE SP3 (5.1.6), 5.2 EE (5.2.4)
-
Component/s: Application Security, Themes
-
Labels:None
-
Environment:All
An XSS vulnerability exist with the "Return to Full Page" if it's combined with a phishing attack.
To patch a theme, replace the following line in portlet.vm
#set ($portlet_back_url = $portlet_display.getURLBack())
with
#set ($portlet_back_url = $htmlUtil.escape($portlet_display.getURLBack()))
- is related to
-
LPS-3462 Phishing + XSS vulnerability with "Return to Full Page" link
- Closed