You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
A persistent XSS exists in HTML editor.
Impact
A user capable to create new posts can attack end users when they click on a malicious link. An attacker can redirect a victim to a fake logon page and harvest logon credentials.
Exploitation
Create a new article/entry with the following URL link.
The XSS payload is executed when a victim clicks on the link.
Remediation
Implement strict input validation.
Which versions of alloy-editor, and which browser / OS are affected by this issue? Did this work in previous versions?
Liferay Community Edition Portal 7.3.4 CE GA5 (Athanasius / Build 7304 / August 11, 2020)
ckeditor 4.14.1
The text was updated successfully, but these errors were encountered:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N/CR:L/MAC:L/MPR:N/MC:L/MI:N/MA:N
Description
A persistent XSS exists in HTML editor.
Impact
A user capable to create new posts can attack end users when they click on a malicious link. An attacker can redirect a victim to a fake logon page and harvest logon credentials.
Exploitation
Create a new article/entry with the following URL link.
The XSS payload is executed when a victim clicks on the link.
Remediation
Implement strict input validation.
Which versions of alloy-editor, and which browser / OS are affected by this issue? Did this work in previous versions?
Liferay Community Edition Portal 7.3.4 CE GA5 (Athanasius / Build 7304 / August 11, 2020)
ckeditor 4.14.1
The text was updated successfully, but these errors were encountered: