CST-7216 Multiple XSS vulnerabilities in 7.1.3 and 7.2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.1.3, 7.2.1 and possibly earlier unsupported versions, allow remote attackers to inject arbitrary web script or HTML via the (1) user name parameter to Portal Search; the (2) user name parameter to Calendar; the (3) 'keywords' search parameter to Document Library; the (4) request URL in themes; the (5) 'portletURL' or (6) 'url' parameter to 'liferay-ui' taglib; or the (7) page name parameter to Site Navigation;

Severity

Severity 2

Fixed Version(s)

Acknowledgments

Some vulnerabilities reported by Casey Erdmann, Giuseppino Cadeddu and Simone Cinti

Publication date: Tue, 09 Jun 2020 02:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.