[LPS-42754] Navigate to control panel will throw XSS window after leaving the site with JS name. - Liferay Issues

XML

Word

Printable

Details

Type: Regression Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.2.0 CE GA1, 7.0.0 M3
Fix Version/s: 6.2.3 CE GA4, 6.2.X EE, 7.0.0 M1
Component/s: Security Vulnerability, ~ [Archived] Frontend Infrastructure
Labels:
Environment:
Tomcat 7.0.42 + MySQL 5.5.34. Portal master GIT ID: 9cc4997fe5920c162862c06686b88dd9549af70f.

Branch Version/s:

6.2.x
Backported to Branch:

Committed
Story Points:
5
Fix Priority:
4
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/15685

Description

Create a Site named <script>alert("123");</script> .
Give a page to the site.
View the page -> Admin -> control panel.

Expected result:
There should be no JS alert shows up.

Actual result:
It will alert JS window.

CVSS Base Score: 7.1
CVSS Temporal Score: 5.6
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C/E:P/RL:OF/RC:C)

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

attachment.gif
543 kB
04/Dec/13 12:08 AM
Screen Shot 2013-12-10 at 11.21.45 AM.png
11 kB
10/Dec/13 11:22 AM
Screen Shot 2013-12-10 at 11.22.04 AM.png
8 kB
10/Dec/13 11:22 AM

Issue Links

is duplicated by

LPS-54303 Various XSS issues in 6.2.2

Closed

relates

LPE-13167 Navigating to control panel will show XSS alert after leaving the site with JS name

Closed

Activity

People

Assignee:: Serena Song (Inactive)

Reporter:: Serena Song (Inactive)

Participants of an Issue:: Robert Frampton, Serena Song

Recent user:: Esther Sanz

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Dec/13 12:08 AM

Updated:: 05/Aug/16 1:09 AM

Resolved:: 10/Dec/13 7:04 PM

Days since last comment:: 7 years, 45 weeks, 4 days ago

Packages

Version	Package
6.2.3 CE GA4
6.2.X EE
7.0.0 M1