icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Liferay Portal 'p_p_id' Parameter HTML Injection

Medium

Synopsis

The remote web server is hosting an application that is vulnerable to a HTML-injection attack.

Description

The remote web server is running Liferay Portal, a Java-based web portal. The installed version is earlier than 5.3.0. Such versions are potentially affected by an HTML injection vulnerability because the application fails to properly sanitize user-supplied input to the 'p_p_id' parameter. An unauthenticated can supply malicious data which is then displayed to an administrator in another page.

Solution

Upgrade to Liferay Portal 5.3.0 or later.