Details

      Description

      PortalImpl doesn't validate cdn_host param and the usages of the CDN url don't escape it as well.

      http://www.liferay.com/?cdn_host=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              joshua.robins Joshua Robins (Inactive)
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 1 week, 5 days ago

                  Packages

                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2