[LPS-29338] XSS in group membership requests - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.0.6 GA, 6.0.12 EE, 6.1.1 CE GA2, 6.1.20 EE GA2
Fix Version/s: 6.0.X EE, 6.1.30 EE GA3, 6.2.0 CE M2
Component/s: Navigation Widgets > My Sites widget, Sites Management
Labels:
- 6.0_release_notes
- QA-R

Branch Version/s:

6.1.x, 6.0.x
Backported to Branch:

Committed
Fix Priority:
3
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/6526

Description

REPRODUCTION STEPS: (6.0.x Community equals 6.1.x and trunk sites)
1. Create a Community and set its type to restricted.
2. Add portlet "My Communities" on a page.
3. Log in with a different user, who is not a member of the created community.
4. On the "My Communities" portlet change to tab "Available Communities".
5. Search for the created community and click on "Request Membership".
6. Type the following into comment field: <script>alert('XSS');</script>
7. Log out and log in as the owner or admin of the community.
8. Go to "My Communities" Portlet and select "View Membership Request" from the Actions menu.

And also reproduced the same behaviour with "Reply Comments" textbox.

Attachments

Issue Links

relates

LPE-7486 XSS in group membership requests

Closed

Activity

People

Assignee:: Pani Gui (Inactive)

Reporter:: Kalman Vincze (Inactive)

Participants of an Issue:: Kalman Vincze, Matthew Lee, Pani Gui

Recent user:: Rafaela Nascimento

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Aug/12 4:46 AM

Updated:: 27/Dec/22 11:14 AM

Resolved:: 17/Aug/12 11:04 PM

Days since last comment:: 10 years, 41 weeks, 5 days ago

Packages

Version	Package
6.0.X EE
6.1.30 EE GA3
6.2.0 CE M2