Liferay Portal 'p_p_id' Parameter HTML Injection
Medium Nessus Network Monitor Plugin ID 5296
SynopsisThe remote web server is hosting an application that is vulnerable to a HTML-injection attack.
DescriptionThe remote web server is running Liferay Portal, a Java-based web portal. The installed version is earlier than 5.3.0. Such versions are potentially affected by an HTML injection vulnerability because the application fails to properly sanitize user-supplied input to the 'p_p_id' parameter. An unauthenticated can supply malicious data which is then displayed to an administrator in another page.
SolutionUpgrade to Liferay Portal 5.3.0 or later.