Description
This fix groups several minor XSS issues discovered in Liferay Portal 6.2.0 in to a single CST patch. The following fixes are included:
- LPS-43095 - XSS issue in DDL - ability to inject script into page links
- LPS-43096 - XSS issue in Site Map - ability to inject script into page titles in Site Map
- LPS-43152 - XSS in Recycle Bin - ability to inject script into page titles viewed by Recycle Bin
- LPS-43154 - XSS in Polls - inject script into user profile and viewed by Polls
- LPS-43299 - XSS in Wiki - ability to inject code into user profile and viewed in History tab in Wiki
- LPS-43300 - XSS in staging - ability to inject code into user profile and viewed by admin on live site
- LPS-43303 - XSS in Bookmark - ability to inject code into user profile and viewed in a Bookmark
- LPS-43304 - XSS in Look and Feel - ability to inject code in Look and Feel dialogs
- LPS-43307 - XSS problem when displaying search results for various portlets
- LPS-43397 - XSS in staging when add event - ability to inject code into scheduled publish-to-live events
- LPS-43398 - XSS in web content display - injecting code into article title and viewing print mode
- LPS-43401 - XSS in scope - ability to inject code into page title when selecting scope for a portlet
- LPS-43464 - XSS in Thread Priorities in Message Boards - ability to inject code into title of message board post's priority
Severity
Severity 2
Affected Version(s)
Publication date: Thu, 13 Feb 2014 17:48:00 +0000