header-logo
Suggest Exploit
vendor:
Liferay Enterprise Portal
by:
Unknown
5.5
CVSS
MEDIUM
Cross-site scripting (XSS) and HTML Injection
79
CWE
Product Name: Liferay Enterprise Portal
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:liferay:liferay_enterprise_portal
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Liferay Enterprise Portal Multiple XSS and HTML Injection Vulnerabilities

Liferay Enterprise Portal is vulnerable to multiple cross-site scripting (XSS) and HTML injection vulnerabilities. These vulnerabilities occur because user-supplied data from various input fields is included in server-generated content without proper validation or encoding. This allows for typical XSS attacks against other users of the portal.

Mitigation:

To mitigate these vulnerabilities, it is recommended to implement proper input validation and encoding on user-supplied data before including it in server-generated content. Additionally, users should be educated about the risks of XSS attacks and how to prevent them.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10402/info

It has been reported that Liferay Enterprise Portal is susceptible to multiple cross-site scripting and HTML injection vulnerabilities. User-supplied data from many input fields is included in server generated content without appropriate validation/encoding. This may allow for typical cross-site scripting attacks against other users of the portal. 


Test:
Add a message with subject <script>history.go(-1)</script>
Now, no user can see message board.

Navigation

Suggest Exploit

Services By CQR