Liferay Portal Enterprise Edition Stored Cross-Site Scripting Vulnerability


Description   (:A vulnerability has been identified in Liferay Enterprise Edition portal backend.:A remote authenticated attacker can exploit it in order to execute arbitrary Javascript or HTML code by inciting their victim into following a specially formed link.::This vulnerability is located in the "Name_of_ldap_server" field.::A proof of concept is available.)
     
Vulnerable Products   Vulnerable Software:
Liferay (Liferay) - 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, ..., 6.1 GA1 CE, 6.1 GA1 EE, 6.1.2 CE, 6.1.x EE, 6.2 EE SP13
     
Solution   No solution for the moment.
     
CVE  
     
References   - oss-sec: Persistent XSS - Liferay Portal Enterprise Edition
http://seclists.org/fulldisclosure/2015/Oct/17
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-10-04 

 Target Type 
Server 

 Possible exploit 
Remote