Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-24842

Login Portlet rememberMe URL parameter could cause XSS vulnerability

    Details

      Description

      In login page add _58_rememberMe="onmouseover=alert("m1aFhX9G")" URL parameter cause XSS in firefox.
      Through this url http://127.0.0.1:8080/web/guest/home?p_auth=tVc4cnpn&p_p_id=58&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&saveLastPath=0&_58_struts_action=/login/login&_58_doActionAfterLogin=false&_58_rememberMe="onmouseover=alert("m1aFhX9G")"
      when the mouse over the "Remember Me" checkbox, triggers the XSS.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              paul.piao Paul Piao (Inactive)
              Reporter:
              zhao.jin Neil Jin (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                8 years, 10 weeks, 1 day ago

                  Packages

                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  6.2.0 CE M2