This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject
Summary
Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
XSS can be caused by a malicious user, can be used to spy on the user
Vulnerability and change
This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
Overview of the Liferay CVE
The following are the names of the vulnerabilities that were fixed in Liferay Portal 7.5 -
CVE-2018-6533: XSS vulnerability in modules/lib/frontend_editor/html/form.jsp
CVE-2015-7770: XSS vulnerability in modules/app_server/system_jsr88.jsp
CVE-2016-5778: XSS vulnerability in modules/common/security_check.jsp
CVE-2017-10348: XSS vulnerability in modules/portal/_modalPopup.js
Timeline
Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:08:00 UTC