Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-5545

Script injection vulnerability

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Duplicate
    • Affects Version/s: 5.2.3
    • Fix Version/s: None
    • Component/s: Accessibility, Security Vulnerability
    • Labels:
      None
    • Environment:
      lportal 5.2.3 on any system, client A-grade browser ( IE, FF)

      Description

      This URL
      http://localhost:8080/web/guest?p_p_id=something&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&_82_struts_action=%2Flanguage%2Fview&languageId=1//--%3E%3C/script%3E%3CScRiPt%20%0D%0A%3Ealert%28%27Hacked%27%29%3B%3C/ScRiPt%3E%22

      cause excecution of Javascript in URL - 404 page shows URL unsanitized. Thought on the first view it is not a big issue this way is possible to send malicious URL by email and inject bad script and content to page.

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. LPS-5744 XSS security threat in language portlet

          • Closed

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              ra100 Rasto Rehak (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                10 years, 47 weeks, 1 day ago

                  Packages

                  Version Package