The following security advisories have been announced for Liferay Portal 6.2 CE GA3 (6.2.2):

• CST-SA: LPS-54386 XML external entity (XXE) processing vulnerability in 6.2.2
• CST-SA: LPS-54384 User enumeration with Sign In portlet in 6.2.2
• CST-SA: LPS-54382 Insecure handling of authentication information in 6.2.2
• CST-SA: LPS-54306 Incorrect permission checking in 6.2.2
• CST-SA: LPS-54303 Various XSS issues in 6.2.2

As always, a source patch for each vulnerability is now available through the Known Vulnerabilities page. In addition, a cumulative source and binary patch are available that includes all CST patches released for this version of Liferay. Please see the Security Patch Information page for details on how to apply these patches. IMPORTANT: If you are subscribed to this forum via RSS or Email Subscriptions - if you wish to continue to receive notifications, you must re-subscribe to the CST's new home. See this thread for details. Note in the README that from now on, the CST will issue two flavors of patches (you only need to install one of them) to deal with classloader issues on some app servers. See the SourceForge page (bottom of page) for more detail. Liferay Portal CE users are strongly advised to keep abreast of all new security advisories and apply associated fixes to your Liferay deployments.