[LPS-58018] XSL Content portlet can be configured with any XML/XSL - Liferay Issues

Details

Type: Bug
Status: Closed
Resolution: Duplicate
Affects Version/s: 6.2.3 CE GA4
Fix Version/s: 6.0.X EE, 6.1.X EE, 6.2.X EE, 7.0.0 M5
Component/s: Security Vulnerability
Labels:
- cst-patch

Description

The XSL Content portlet allows anyone who has permission to configure the portlet to specify any XML/XSL file. By creating the appropriate XML/XSL file, a user can access any file on the system, launch denial-of-service attacks and more.

Attachments

Activity

People

Assignee:

Samuel Kong

Reporter:

Samuel Kong

Participants of an Issue:

Samuel Kong

Recent user:

Esther Sanz

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

19/Aug/15 3:02 AM

Updated:

02/Dec/15 4:45 AM

Resolved:

26/Aug/15 2:45 AM

Days since last comment:

3 years, 40 weeks, 5 days ago