Description
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, allow remote attackers to inject arbitrary web script or HTML via the (1) user name parameter to Portal Search; the (2) user name parameter to Calendar; the (3) 'keywords' search parameter to Document Library; the (4) request URL in themes; the (5) 'portletURL' or (6) 'url' parameter to 'liferay-ui' taglib; or the (7) page name parameter to Site Navigation;
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.2.1
- June 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page.
Acknowledgments
Some vulnerabilities reported by Casey Erdmann, Giuseppino Cadeddu and Simone Cinti
Publication date: Tue, 09 Jun 2020 02:00:00 +0000