Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Liferay Portal 'p_p_id' Parameter HTML Injection

Medium

Synopsis

The remote web server is hosting an application that is vulnerable to a HTML-injection attack.

Description

The remote web server is running Liferay Portal, a Java-based web portal. The installed version is earlier than 5.3.0. Such versions are potentially affected by an HTML injection vulnerability because the application fails to properly sanitize user-supplied input to the 'p_p_id' parameter. An unauthenticated can supply malicious data which is then displayed to an administrator in another page.

Solution

Upgrade to Liferay Portal 5.3.0 or later.