[LPS-42754] Navigate to control panel will throw XSS window after leaving the site with JS name. - Liferay Issues

XML

Word

Printable

Details

Type: Regression Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.2.0 CE GA1, 7.0.0 M3
Fix Version/s: 6.2.3 CE GA4, 6.2.X EE, 7.0.0 M1
Component/s: Security Vulnerability, ~ [Archived] Frontend Infrastructure
Labels:
Environment:
Tomcat 7.0.42 + MySQL 5.5.34. Portal master GIT ID: 9cc4997fe5920c162862c06686b88dd9549af70f.

Branch Version/s:

6.2.x
Backported to Branch:

Committed
Story Points:
5
Fix Priority:
4
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/15685

Description

Create a Site named <script>alert("123");</script> .
Give a page to the site.
View the page -> Admin -> control panel.

Expected result:
There should be no JS alert shows up.

Actual result:
It will alert JS window.

CVSS Base Score: 7.1
CVSS Temporal Score: 5.6
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C/E:P/RL:OF/RC:C)

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

attachment.gif
543 kB
04/Dec/13 12:08 AM
Screen Shot 2013-12-10 at 11.21.45 AM.png
11 kB
10/Dec/13 11:22 AM
Screen Shot 2013-12-10 at 11.22.04 AM.png
8 kB
10/Dec/13 11:22 AM

Issue Links

is duplicated by

LPS-54303 Various XSS issues in 6.2.2

Closed

relates

LPE-13167 Navigating to control panel will show XSS alert after leaving the site with JS name

Closed

Activity

People

Assignee:

Serena Song (Inactive)

Reporter:

Serena Song (Inactive)

Participants of an Issue:

Robert Frampton, Serena Song

Recent user:

Esther Sanz

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

04/Dec/13 12:08 AM

Updated:

05/Aug/16 1:09 AM

Resolved:

10/Dec/13 7:04 PM

Days since last comment:

6 years, 31 weeks, 5 days ago

Packages

Version	Package
6.2.3 CE GA4
6.2.X EE
7.0.0 M1