|
Description
|
|
(#Several vulnerabilities have been identified in Liferay Portal:#- CVE-2016-10404: cross-site scripting via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp##- CVE-2017-12645: cross-site scripting via an invalid portletId##- CVE-2017-12646: cross-site scripting via a login name, password, or e-mail address##- CVE-2017-12647: cross-site scripting via a Knowledge Base article title##- CVE-2017-12648: cross-site scripting via a bookmark URL##- CVE-2017-12649: cross-site scripting via a crafted title or summary that is mishandled in the Web Content Display##- denial of service. A remote attacker could exploit it in order to create a denial of service situation by using a crafted URL.##- denial of service via the editing of a wiki page. An authenticated remote attacker could exploit it in order to create a denial of service situation by using a form with crafted parameters##- path disclosure. A remote attacker could exploit it in order to get the path to all OSGi bundles by using a crafted URL.#Updated, 08/08/2017:#An additional vulnerability, fixed by the same patches, was reported :#- CVE-2017-1000425: cross-site scripting via the "movie" parameter in "/html/portal/flash.jsp")
|
