Liferay Enterprise Portal 1.x/2.x/5.0.2 - Multiple Cross-Site Scripting Vulnerabilities

Author: Sandeep Giri
type: webapps
platform: jsp
port: 
date_added: 2004-05-22 
date_updated: 2013-01-15 
verified: 1 
codes: CVE-2004-2030;OSVDB-6346 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/10402/info

It has been reported that Liferay Enterprise Portal is susceptible to multiple cross-site scripting and HTML injection vulnerabilities. User-supplied data from many input fields is included in server generated content without appropriate validation/encoding. This may allow for typical cross-site scripting attacks against other users of the portal.


Test:
Add a message with subject <script>history.go(-1)</script>
Now, no user can see message board.