Vulnerability Description
Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Liferay Portal | >= 6.0.0, <= 6.0.5 |
Related Weaknesses (CWE)
References
- http://issues.liferay.com/browse/LPS-14927Issue TrackingVendor Advisory
- http://openwall.com/lists/oss-security/2011/03/29/1Mailing ListThird Party Advisory
- http://openwall.com/lists/oss-security/2011/04/08/5Mailing ListThird Party Advisory
- http://openwall.com/lists/oss-security/2011/04/11/9Mailing ListThird Party Advisory
- http://issues.liferay.com/browse/LPS-14927Issue TrackingVendor Advisory
- http://openwall.com/lists/oss-security/2011/03/29/1Mailing ListThird Party Advisory
- http://openwall.com/lists/oss-security/2011/04/08/5Mailing ListThird Party Advisory
- http://openwall.com/lists/oss-security/2011/04/11/9Mailing ListThird Party Advisory
FAQ
What is CVE-2011-1502?
CVE-2011-1502 is a vulnerability with a CVSS score of 4.0 (MEDIUM). Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity...
How severe is CVE-2011-1502?
CVE-2011-1502 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-1502?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Liferay Portal.