Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-28310

Remote code execution in Calendar portlet

    Details

      Description

      An attacker with access to JSON services can cause Java code written in the the title or the description of a calendar to execute. If the attacker also has permission to create events in the Calendar portlet, the attacker will be able to execute any Java code on the server.

      Workaround

      Disable JSON service's access to CalEventServiceUtil by adding "com.liferay.portlet.calendar.service.CalEventServiceUtil" to the "json.service.invalid.class.names" property in portal-ext.properties. For example:

      json.service.invalid.class.names=\
          com.liferay.documentlibrary.service.DLLocalServiceUtil,\
          com.liferay.documentlibrary.service.DLServiceUtil,\
          com.liferay.mail.service.MailServiceUtil,\
          com.liferay.portal.service.CompanyServiceUtil,\
          com.liferay.portal.service.PortalServiceUtil,\
          com.liferay.portal.service.PortletServiceUtil,\
          com.liferay.portlet.calendar.service.CalEventServiceUtil

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            samuel.kong Samuel Kong
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              9 years, 16 weeks, 4 days ago

                Packages

                Version Package
                6.0.X EE
                6.1.1 CE GA2
                6.1.10 EE GA1
                6.1.20 EE GA2
                --Sprint 11/12
                6.2.0 CE M2