[LPS-36112] Potential XSS in web content feedId - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.0.6 GA, 6.0.12 EE, 6.1.1 CE GA2, 6.1.20 EE GA2, 6.2.0 CE M6
Fix Version/s: 6.1.2 CE GA3, 6.1.30 EE GA3, 6.2.0 CE M6
Component/s: Accessibility, Security Vulnerability, Web Content > Web Content Administration
Labels:
- QA-R
- QA-TP
- XSS

Branch Version/s:

6.1.x
Backported to Branch:

Committed
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/11654

Description

This potentially could happen

1. Control Panel > Web Content > Manage > Feeds
2. Add a feed
3. Return to the view which list all the feeds
4. Right click on the ID of the feed and copy the URL
5. Past the URL into a new tab/window
6. Change the value of "_15_feedId" parameter in the URL, for example:

_15_feedId=123<script>alert(999)</script>

And an alert windows will open.

However, this currently does not happen because of other logic in the code which causes this line of code to not execute if the feedId is invalid.

Attachments

Issue Links

relates

LPE-9044 XSS issue in Web Content feed

Closed

Activity

People

Assignee:: Brian Wulbern

Reporter:: Samuel Kong

Participants of an Issue:: Brian Wulbern, Samuel Kong

Recent user:: Austin Chiang

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Jun/13 3:45 AM

Updated:: 3 days ago 10:59 PM

Resolved:: 10/Jun/13 2:08 PM

Days since last comment:: 9 years, 43 weeks, 1 day ago

Packages

Version	Package
6.1.2 CE GA3
6.1.30 EE GA3
6.2.0 CE M6