製品・ソフトウェアに関する情報

JVN脆弱性詳細

Liferay Portal CE におけるクロスサイトスクリプティングの脆弱性

Title	Liferay Portal CE におけるクロスサイトスクリプティングの脆弱性
Summary	Liferay Portal Community Edition (CE) には、Apache Tomcat を使用している際、クロスサイトスクリプティングの脆弱性が存在します。本脆弱性は、CVE-2004-2030 とは異なる脆弱性です。
Possible impacts	リモート認証されたユーザにより、メッセージタイトルを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 13, 2010, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

Apache Software Foundation

Apache Tomcat

Liferay

portal Community Edition 6.0.6 GA 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1570	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1570
National Vulnerability Database (NVD)
2	CVE-2011-1570	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1570

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Apache
1	Top Page	http://httpd.apache.org/
Liferay
2	LPS-12628	http://issues.liferay.com/browse/LPS-12628
3	LPS-13250	http://issues.liferay.com/browse/LPS-13250

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1570

Summary	Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030.
Publication Date	May 8, 2011, 4:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:26 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:liferay:liferay_portal:::::community:::*		6.0.0	6.0.5
execution environment
1	cpe:2.3:o:microsoft:windows_7:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://issues.liferay.com/browse/LPS-12628	Issue Tracking Vendor Advisory
2	http://issues.liferay.com/browse/LPS-13250	Exploit Issue Tracking Vendor Advisory
3	http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952	Release Notes Vendor Advisory
4	http://openwall.com/lists/oss-security/2011/03/29/1	Mailing List Third Party Advisory
5	http://openwall.com/lists/oss-security/2011/04/08/5	Mailing List Third Party Advisory
6	http://openwall.com/lists/oss-security/2011/04/11/9	Mailing List Third Party Advisory
7	http://issues.liferay.com/browse/LPS-12628	Issue Tracking Vendor Advisory
8	http://openwall.com/lists/oss-security/2011/04/11/9	Mailing List Third Party Advisory
9	http://openwall.com/lists/oss-security/2011/04/08/5	Mailing List Third Party Advisory
10	http://openwall.com/lists/oss-security/2011/03/29/1	Mailing List Third Party Advisory
11	http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952	Release Notes Vendor Advisory
12	http://issues.liferay.com/browse/LPS-13250	Exploit Issue Tracking Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html