Description
The default configuration for Liferay Portal 7.0.0 through 7.1.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content.
Workaround:
1. Navigate to: Control Panel > Configuration > System Settings > Platform > Template Engines > XSL Engine
2. Enable "Secure Processing Enabled"
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.1.1
- March 2020 source patch for Liferay Portal 7.0.6. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Mon, 12 Nov 2018 10:25:00 +0000