Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53412

Stored XSS via Google Analytics ID after updating Google Analytics Script

    Details

      Description

      Steps to reproduce:
      1, Go to Site Settings in Control Panel
      2, Enter this Google Analytics ID:

      </script><script>alert(/googleAnalyticsId/);</script>

      3, Go to the site

      Expected result: no pop-up
      Actual result: a pop-up appears


      CVSS Base Score: 7.1
      CVSS Temporal Score: 5.6
      CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C/E:P/RL:OF/RC:C)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                felix.zhang Felix Zhang
                Reporter:
                kayleen.lim Kayleen Lim
                Participants of an Issue:
                Recent user:
                Esther Sanz
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 5 weeks ago

                  Packages

                  Version Package
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4