Sonatype Vulnerability com.liferay.portal.impl@42.0.0?type=jar

Jamie Sammons, modified 3 Years ago.

Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hello,

Have liferay done Sonatype scanning on the latest build GA40 releases as we ran a sonatype scan for the following vulnerability on component

com.liferay.portal.impl@42.0.0?type=jar. Will liferay be providing an upgrade path for this vulenerability?

Below are Sonatype Scan assesment:

Recommended Version(s): No recommended versions are available for the current component.
Explanation: Liferay Portal contains a Cross-site Scripting (XSS) vulnerability. The `getCurrentCompleteURL` and `getCurrentURL` methods in `PortalImpl.class` do not properly escape the URL string. An attacker can exploit this by including malicious HTML code in the URL string that would then be parsed and executed.
Detection: The application is vulnerable by using this component.
Recommendation: There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Thanks,

Kevin

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

Sonatype Vulnerability com.liferay.portal.impl@42.0.0?type=jar