This issue is due to the sharing module parsing the URL path for sharing content from users rather than the URL path for sharing assets. An attacker can exploit this vulnerability to inject arbitrary code into the application or cause denial of service. This issue affects Liferay Portal 7.2.1 through 7.4.2, Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4. It is likely to be encountered in any application that uses the sharing module. In the Shadowsocks exploit example, an attacker sends a link to a victim hosting the shared asset with a crafted payload. When the victim clicks on the link, the shared asset is loaded and the exploit code is executed. The notification email received by the user does not contain any script, but the user receives notification about the shared asset, which can be used by an attacker to exploit this vulnerability. - CVE-2017-10906: Cross-site scripting (XSS) vulnerability in the Errors module in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML code into the application by injecting an error message. The vulnerability is due to insufficient validation of user-supplied input by the Errors module. An attacker can exploit this vulnerability to inject script or HTML code into the application, causing a client-side error that can

Vulnerability Scenario

A user clicks on a link to a shared asset. The shared asset is loaded, but the content of the notification email sent to the user does not contain any script.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 14:54:00 UTC

References