Issue
We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page
- Go to a Site's Configuration -> Site Settings -> Analytics
- Under the Matomo or Piwik fields, paste something like:
"><img src=x onerror=alert(origin)>
3. Click on Save
From then on, any time you visit a page, you'll see a pop up.
Environment
DXP 7.0+
Resolution
This isn't a true vulnerability because fields like Matomo need to allow Javascript in order for those analytics services to work.
If you don't need Matomo, you can disable it by:
- Go to Control Panel - Instance Settings - Platform - Analytics
- Remove Matomo from the list and save
Now the Matomo field is no longer an option within the Site’s settings.
Additional Information
Does having a script in a fragment qualify as a potential XSS vulnerability?
Does having a script in a button fragment qualify as a potential XSS vulnerability?
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión