Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53412

Stored XSS via Google Analytics ID after updating Google Analytics Script

    XMLWordPrintable

    Details

      Description

      Steps to reproduce:
      1, Go to Site Settings in Control Panel
      2, Enter this Google Analytics ID: 

      </script><script>alert(/googleAnalyticsId/);</script>

      3, Go to the site

      Expected result: no pop-up
      Actual result: a pop-up appears

      CVSS Base Score: 7.1
CVSS Temporal Score: 5.6
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C/E:P/RL:OF/RC:C)

        Attachments

          Issue Links

          relates

          Bug - A problem which impairs or prevents the functions of the product. LPS-53243 Liferay's Google Analytics script is outdated

          • Closed

          Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPE-13413 Stored XSS via Google Analytics ID after updating Google Analytics Script

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              • Assignee:
                felix.zhang Felix Zhang
                Reporter:
                kayleen.lim Kayleen Lim
                Participants of an Issue:
                Recent user:
                Esther Sanz
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  4 years, 46 weeks, 3 days ago

                  Packages

                  Version Package
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4