Description
In Liferay Portal 7.0.1 and earlier, PDFBox does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.0.2
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Tue, 23 Aug 2016 07:33:00 +0000