CST-7109 XXE vulnerability in XSL Content & Web Content

Description

The default configuration for Liferay Portal 7.0.0 through 7.1.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content.

Workaround:
1. Navigate to: Control Panel > Configuration > System Settings > Platform > Template Engines > XSL Engine
2. Enable "Secure Processing Enabled"

Severity

Severity 1

Fixed Version(s)

Publication date: Mon, 12 Nov 2018 10:25:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.