CVE-2008-0180

Description

Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile.

Affected products

• Liferay / liferay_enterprise_portal
• Liferay / liferay_enterprise_portal1.0 – 1.0
• Liferay / liferay_enterprise_portal2.0 – 2.0
• Liferay / liferay_enterprise_portal2.1.0 – 2.1.0
• Liferay / liferay_enterprise_portal2.1.1 – 2.1.1
• Liferay / liferay_enterprise_portal2.2.0 – 2.2.0
• Liferay / liferay_enterprise_portal3.6.1 – 3.6.1
• Liferay / liferay_enterprise_portal4.1 – 4.1
• Liferay / liferay_enterprise_portal4.1.1 – 4.1.1
• Liferay / liferay_enterprise_portal4.1.3 – 4.1.3
• Liferay / liferay_enterprise_portal4.3.1 – 4.3.1
• Liferay / liferay_enterprise_portal4.3.6 – 4.3.6

References

• MISChttp://www.securityfocus.com/bid/27546
• VENDOR_ADVISORYhttp://secunia.com/advisories/28742
• MISChttp://www.kb.cert.org/vuls/id/732449
• MISChttp://support.liferay.com/browse/LEP-4738