-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.portal:release.portal.bom | maven | >= 7.4.0-ga1, <= 7.4.3.132-ga132 |
Miggo AIRoot Cause AnalysisThe analysis began by examining the provided commit, which clearly showed a security fix for a cross-site scripting vulnerability. The patch was located in a JSP file, page.jsp, and involved adding HtmlUtil.escape() to a value being rendered in an HTML input tag. This is a standard mitigation for XSS. The vulnerability description specified that the assetTagNames parameter in the UsersAdminPortlet was the injection point. This indicates that the vulnerable page.jsp is used as part of the Users Admin functionality. For a Java application server, JSP files are compiled into servlets. The code within the JSP is executed in the _jspService method of the compiled servlet. Therefore, the most precise runtime indicator of this vulnerability being triggered would be the execution of the _jspService method for the page.jsp file. The name of the generated servlet class follows a convention based on the file's path, leading to the identified function name org.apache.jsp.asset_005ftags_005fselector.page_jsp._jspService. This provides a specific, actionable indicator for security engineers to monitor in their environment.
Ongoing coverage of React2Shell