Details

      Description

      An attacker with access to JSON services can cause Java code written in the the title or the description of a calendar to execute. If the attacker also has permission to create events in the Calendar portlet, the attacker will be able to execute any Java code on the server.

      Workaround

      Disable JSON service's access to CalEventServiceUtil by adding "com.liferay.portlet.calendar.service.CalEventServiceUtil" to the "json.service.invalid.class.names" property in portal-ext.properties. For example:

      json.service.invalid.class.names=\
          com.liferay.documentlibrary.service.DLLocalServiceUtil,\
          com.liferay.documentlibrary.service.DLServiceUtil,\
          com.liferay.mail.service.MailServiceUtil,\
          com.liferay.portal.service.CompanyServiceUtil,\
          com.liferay.portal.service.PortalServiceUtil,\
          com.liferay.portal.service.PortletServiceUtil,\
          com.liferay.portlet.calendar.service.CalEventServiceUtil

        Attachments

          Activity

            People

            • Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              samuel.kong Samuel Kong
              Participants of an Issue:
              Recent user:
              Esther Sanz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                5 years, 7 weeks, 6 days ago