-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.account.admin.web | maven | >= 2.0.0, < 2.0.108 | 2.0.108 |
Miggo AIRoot Cause AnalysisThe vulnerability is a classic stored Cross-Site Scripting (XSS) issue within the Liferay Portal's account management features. The root cause is the failure to properly sanitize user-controlled input before it is rendered on various pages. Specifically, the 'Title' of an Account Role and the 'Name' of an Organization can be crafted to contain malicious JavaScript code.
The analysis of the provided patches shows that several JSP (JavaServer Pages) files were modified to fix this vulnerability. These JSP files are responsible for rendering the views for managing and viewing accounts, roles, and organizations. Before the patch, these pages would directly render the names and descriptions of roles and organizations, leading to the execution of any embedded scripts. The fix consistently involves wrapping the output of the getter methods (e.g., getName(), getDescription(), getOrganizationNames()) with HtmlUtil.escape(). This function neutralizes any HTML or script tags, ensuring they are displayed as plain text rather than being executed by the browser.
The vulnerable functions identified are the _jspService methods of the servlets generated from the patched JSP files. These methods are the entry points for the rendering logic where the unescaped data was being processed and would be the functions appearing in a runtime profile during the exploitation of this vulnerability.
org.apache.jsp.account_entries_admin.account_entry.view_account_organizations_jsp._jspServicemodules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/account_entry/view_account_organizations.jsp
org.apache.jsp.account_entries_admin.account_entry.view_account_roles_jsp._jspServicemodules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/account_entry/view_account_roles.jsp
org.apache.jsp.account_entries_admin.select_account_organizations_jsp._jspServicemodules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/select_account_organizations.jsp
org.apache.jsp.account_entries_admin.select_account_roles_jsp._jspServicemodules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/select_account_roles.jsp
org.apache.jsp.account_entries_admin.view_jsp._jspServicemodules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/view.jsp
Ongoing coverage of React2Shell