Liferay Portal Security Bypass and HTML Injection Vulnerabilities
The information has been provided by Matthew Kong, Kalman Vincze, Norbert Kocsis, Samuel Kong, and Amos Fong..
* Liferay Portal 6.1 CE GA2 (6.1.1) and prior
An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application.
Published: October 24 2012