-
Type:
Bug
-
Status: Closed
-
Resolution: Duplicate
-
Affects Version/s: 5.2.3
-
Fix Version/s: 6.0.3 GA
-
Component/s: Accessibility, Security Vulnerability
-
Labels:None
-
Environment:liferay.com
-
Liferay Contributor's Agreement:Accept
I tried to explain this issue in this forum: http://www.liferay.com/web/guest/community/forums/-/message_boards/message/4206917
Actually - I'm just a normal user, but I can insert (for example) some javascript into wiki - just check this wiki-page I just created in liferay.com: http://www.liferay.com/web/guest/community/wiki/-/wiki/Main?_36_title=Test%20for%20XSS
In my case I've inserted just an alert, but - it may be much-much more dangerous javascript. As result, this javascript, entered by me (again - I'm just a normal user in liferay.com) will be executed for any user, who will open this page
I'm afraid it is HUGE security problem! - I cannot change Main wiki-page (has no permissions for it) - but I can change many pages and insert dangerous javascript in many places in liferay.com
Same for any installation of Liferay