SB2017080825 - Multiple vulnerabilities in Liferay Portal
Published: August 8, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Denial of service (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to errors in AggregateFilter, MinifierFilter and DynamicCSSFilter components. A remote attacker can use a specially crafted URL to consume all available disk space on the system and cause denial of service (DoS) conditions.
2) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insufficient input sanitization when creating or editing Wiki pages. A remote authenticated attacker with permissions to create or edit a Wiki page can cause a denial of service (DoS) in the portal via crafted form parameters.
3) Cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization in various web application components. A remote attacker can trick the victim into visiting a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of the affected website.
4) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain potentially sensitive data.
The vulnerability exists due to excessive data output. A remote attacker can use a specially crafted URL to obtain path to all OSGi bundles.
Remediation
Install update from vendor's website.