CST-6237 Password disclosure through IFrame portlet

Description

The IFrame portlet in Liferay Portal 6.2.5 and earlier does not properly check a user's permission to configure the portlet, which allows attackers configure the portlet to steal user passwords.

Workaround: Remove the "Add to Page" permission for the IFrame portlet from any untrusted role. This is usually the 'User' and the 'Power User' role.

Severity

Severity 1

Fixed Version(s)

Publication date: Mon, 02 Mar 2020 07:21:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.