Vulnerability Description
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Liferay Portal | < 7.0.3_ga4 |
Related Weaknesses (CWE)
References
- https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/assePatchVendor Advisory
- https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860aPatchThird Party Advisory
- https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/assePatchVendor Advisory
- https://github.com/liferay/liferay-portal/commit/9435af4ef8a90b5333da925a5ec860aPatchThird Party Advisory
FAQ
What is CVE-2017-1000425?
CVE-2017-1000425 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI ...
How severe is CVE-2017-1000425?
CVE-2017-1000425 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000425?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Liferay Portal.