Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53412

Stored XSS via Google Analytics ID after updating Google Analytics Script

    XMLWordPrintable

    Details

      Description

      Steps to reproduce:
      1, Go to Site Settings in Control Panel
      2, Enter this Google Analytics ID: 

      </script><script>alert(/googleAnalyticsId/);</script>

      3, Go to the site

      Expected result: no pop-up
      Actual result: a pop-up appears

      CVSS Base Score: 7.1
CVSS Temporal Score: 5.6
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C/E:P/RL:OF/RC:C)

        Attachments

          Issue Links

          relates

          Bug - A problem which impairs or prevents the functions of the product. LPS-53243 Liferay's Google Analytics script is outdated

          • Closed

          Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPE-13413 Stored XSS via Google Analytics ID after updating Google Analytics Script

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              Assignee:
              felix.zhang Felix Zhang
              Reporter:
              kayleen.lim Kayleen Lim
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                6 years, 35 weeks, 1 day ago

                  Packages

                  Version Package
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4