-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.portal:release.portal.bom | maven | = 7.4.3.132-ga132 |
Miggo AIRoot Cause AnalysisThe analysis of the provided patches indicates a reflected cross-site scripting (XSS) vulnerability in Liferay Portal. The root cause of the vulnerability lies in the portal-web/docroot/html/common/themes/bottom_js_script.jsp file.
The commit af4fc9238782c9f2f977d6b9d090ab7b9424dace reveals the core of the vulnerability. The file bottom_js_script.jsp was renamed to bottom_js_script.jspf, and a critical line of code was removed: <% String snippet = ParamUtil.getString(request, "snippet"); %>. This line directly extracted the snippet parameter from the incoming HTTP request. The value of this parameter was then embedded directly into a JavaScript block on the page, leading to the XSS vulnerability. An attacker could craft a URL with a malicious JavaScript payload in the snippet parameter, and this script would be executed in the context of the user's browser.
The fix involves removing this direct parameter retrieval. The parent JSP, bottom_js.jspf, now retrieves the content for the snippet from layout properties, which is a trusted source, and then includes the bottom_js_script.jspf fragment. This ensures that only controlled data is rendered in the script tag, mitigating the XSS risk.
The second commit, 6228bb1142e748342d3f170bf104f458ff59ddb2, adds a Playwright test case that specifically attempts to exploit this vulnerability by passing a console.log statement in the snippet parameter and asserts that the script is not executed. This confirms the successful mitigation of the vulnerability.
Therefore, the vulnerable function is identified as the JSP file bottom_js_script.jsp itself, as this is where the untrusted input was processed and rendered.
Ongoing coverage of React2Shell