[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability

Author
Ariel Walter Garcia
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-22910
Category
web applications
Date add
21-11-2014
CVE
CVE-2014-8349
Platform
php
- Vendor Status: CONFIRMED

- Vendor Disclosure Date: October 17th 2014

- Public Disclosure Date: November 14th 2014

- Affected Vendor: LIFERAY - http://www.liferay.com/

- Affected System: Liferay Portal 6.2 EE SP8 and older versions

- Vulnerability Status: Fixed


Associated CWE:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html

******************************************************************************

CVE-2014-8349:

Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the "_20_body" parameter in the comment field of an uploaded file.

The Javascript injection will later exploit when clicking on "View" from under the "My Workflow Tasks" option within the "My Account" menu, when logged in with an administrator account, and looking for the approval of comments.


- Available fix:

  Patch: LPE-12961

#  0day.today [2024-11-16]  #