Liferay Portal Multiple Security Vulnerabilities
BID:53546
Info
Liferay Portal Multiple Security Vulnerabilities
| Bugtraq ID: | 53546 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 15 2012 12:00AM |
| Updated: | May 18 2012 06:00PM |
| Credit: | Jelmer Kuperus |
| Vulnerable: |
Liferay Enterprise Portal 6.0.6 GA Liferay Enterprise Portal 6.0.5 GA Liferay Enterprise Portal 6.0.4 GA Liferay Enterprise Portal 6.1 ee Liferay Enterprise Portal 6.1 ce Liferay Enterprise Portal 6.0.6 ce Liferay Enterprise Portal 6.0.5 ce Liferay Enterprise Portal 6.0 |
| Not Vulnerable: | |
Discussion
Liferay Portal Multiple Security Vulnerabilities
Liferay Portal is prone to multiple security vulnerabilities including:
1. Multiple cross-site scripting vulnerabilities
2. A cross-site scripting vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
6. A cross-site request-forgery vulnerability
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, perform unauthorized actions in the context of a user's
session or perform unauthorized actions. Other attacks are also possible.
Liferay Portal 6.1 ce and 6.1 ee are vulnerable; other versions may also be affected.
Liferay Portal is prone to multiple security vulnerabilities including:
1. Multiple cross-site scripting vulnerabilities
2. A cross-site scripting vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
6. A cross-site request-forgery vulnerability
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, perform unauthorized actions in the context of a user's
session or perform unauthorized actions. Other attacks are also possible.
Liferay Portal 6.1 ce and 6.1 ee are vulnerable; other versions may also be affected.
Exploit / POC
Liferay Portal Multiple Security Vulnerabilities
Attackers can exploit these issues via a browser. To exploit the cross-site scripting issue, an attacker must entice an unsuspecting user into following a malicious URI.
Attackers can exploit these issues via a browser. To exploit the cross-site scripting issue, an attacker must entice an unsuspecting user into following a malicious URI.
Solution / Fix
Liferay Portal Multiple Security Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Liferay Portal Multiple Security Vulnerabilities
References:
References:
- Liferay Homepage (Liferay)
- Guests can view names and emailadresses of all Liferay users in (Jelmer Kuperus)
- Liferay 6.1 can be compromised without having an account on the portal (Jelmer Kuperus)
- Liferay 6.1 json webservices are subject to cross-site request forgery attacks (Jelmer Kuperus)
- Multiple xss issues in Liferay (Jelmer Kuperus)