{"vuid":"VU#100972","idnumber":"100972","name":"Liferay Portal PCE contains multiple cross-site scripting vulnerabilities","keywords":["liferay","cms","cwe-79","xss"],"overview":"Liferay Portal versions 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master contain multiple cross-site scripting vulnerabilities","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963\nLiferay is affected by a Persistent Cross Site Scripting vulnerability in the \"my account area\". The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master\nThree instances of this issue were identified, at the following locations/parameters: /group/control_panel/manage [_2_firstName parameter]\n/group/control_panel/manage [_2_lastName parameter]\n/group/control_panel/manage [_2_middleName parameter]","impact":"An attacker with access to the Liferay Portal \"my account area\" or by tricking a logged in user to visit a specially crafted URL, can conduct a cross-site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.","resolution":"Apply an Update\nThis vulnerability was addressed on 06/04/14, bug id LPS-46156.","workarounds":"","sysaffected":"","thanks":"Thanks to Simone Cecchini from Verizon Enterprise Solutions GCIS Threat and Vulnerability Management for reporting this vulnerability.","author":"This document was written by Chris King.","public":["https://github.com/samuelkong/liferay-portal","http://www.liferay.com/"],"cveids":["CVE-2014-2963"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-04-23T12:31:34Z","publicdate":"2014-07-09T00:00:00Z","datefirstpublished":"2014-07-09T17:06:03Z","dateupdated":"2014-07-10T14:40:07Z","revision":11,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"3.5","cvss_basevector":"AV:N/AC:M/Au:S/C:N/I:P/A:N","cvss_temporalscore":"2.7","cvss_environmentalscore":"2.0375984727","cvss_environmentalvector":"CDP:N/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}