[LPS-32064] XSS in My Account's Custom Fields - Liferay Issues

XML

Word

Printable

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
Fix Version/s: 6.1.2 CE GA3, 6.1.30 EE GA3, 6.2.0 CE M4
Component/s: Accessibility, Portal Configuration, Portal Configuration > Custom Fields, Security Vulnerability
Labels:
- QA-R
- QA-TP
- security
- xss
Environment:
Tomcat 7 + MySQL 5. Portal 6.1.x GIT ID: 0c4e8b41040f17c26c1e7589729b0f18b98bace7.
Tomcat 7 + MySQL 5. Portal 6.2.x GIT ID: 48a7c4c1c41473f02a27f554476c2ba257f3933a.

Branch Version/s:

6.1.x
Backported to Branch:

Committed
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/8494

Steps to reproduce

Create a Custom Field for Users, in the Type drop down menu select Group of Text Values.
Add some XSS ("><script>alert('Custom Field Key');</script>) into the Default Value.
Save the Custom Field.
Go to My Account and notice the popup window.

relates

LPE-8175 XSS vulnerability with custom fields in My Account page