Issue
- There is a known vulnerability present when using the AssetPublisher.
- Steps to reproduce the behavior:
- Content & Data > Web Content > + Basic Web Content > Title "test" > Content "test"
- Site Builder > Pages > + Page > Widget Page > Name "Test" > 2 Columns > Save
- Access "Test" Page > + Asset Publisher > "Select a collection to make it visible" > "Dynamic"
- Click on "Test" Page > Change URL to http://localhost:8080/tester-page1/-/asset_publisher/gHEKIBqFRhUU/content/test?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_gHEKIBqFRhUU_assetEntryId=44315&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_gHEKIBqFRhUU_redirect=redirect=javascript%26colon;(print)(
- The page is still accessible and printable
- The availability to print indicates a successful Cross-Site Scripting attack. This is considered a vulnerability because of the reflection of user-supplied data without appropriate HTML escaping or output encoding. This could result in a JavaScript payload being injected into an endpoint causing it to be executed within the context of the victim's browser.
Environment
- DXP 7.4
Resolution
- This vulnerability has been addressed and fixed in Quarterly Release 2024.Q1.
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión