[LPS-56332] XSS issue in the list view interface in Web content portlet. - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.2.X EE
Fix Version/s: 6.2.4 CE GA5, 6.2.X EE
Component/s: Security Vulnerability, Web Content > Web Content Administration
Labels:

Branch Version/s:

6.2.x
Backported to Branch:

Committed
Story Points:
6
Fix Priority:
3
Git Pull Request:
https://github.com/daledotshan/liferay-portal-ee/pull/68

Description

1. Navigate to Control Panel > Site Administration > Web Content.
2. Set the view to List.
3. Create a Web Content article with the title: "><script>alert('Title1')</script>
4. Publish the article.

Expected Result:
No XSS pop-up will appear.
Actual Result:
XSS pop-up appears.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

fixed.png
27 kB
02/Jul/15 7:57 PM
reproduced.png
142 kB
02/Jul/15 7:57 PM

Issue Links

is duplicated by

LPS-57532 Various XSS issues in 6.2.3

Closed

is related to

LPS-47725 Unable to edit Web Content when journal.article.force.autogenerate.id=false and the articleId contains special characters

Closed

relates

LPE-13941 There was a XSS issue in the 'list view' interface within the Web content portlet

Closed

Activity

People

Assignee:: Hong Zhao (Inactive)

Reporter:: Hai Yu

Participants of an Issue:: Hai Yu, Hong Zhao

Recent user:: Marta Elicegui

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 12/Jun/15 2:04 AM

Updated:: 07/Apr/20 4:55 AM

Resolved:: 15/Jun/15 11:00 AM

Days since last comment:: 6 years, 46 weeks, 5 days ago

Packages

Version	Package
6.2.4 CE GA5
6.2.X EE