Tomasz Kuczynski

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions prior to 5.3.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `p p id` parameter. This can lead to the execution of malicious scripts on the client-side. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `p p id` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Caucho Resin versions prior to 3.0.25 Caucho Resin versions 3.1.x prior to 3.1.4 Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `file` parameter in the viewfile documentation command. Recommendations: For versions prior to 3.0.25, update to version 3.0.25 or later. For versions 3.1.x prior to 3.1.4, update to version 3.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal version 4.3.6 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `User-Agent` HTTP header. This occurs when composing Forgot Password e-mail messages in HTML format. **Recommendations** For Liferay Portal version 4.3.6, consider restricting the use of the `User-Agent` HTTP header when composing Forgot Password e-mail messages in HTML format until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal version 4.3.6 **Description** A cross-site scripting (XSS) issue exists in the Enterprise Admin Session Monitoring component, allowing remote authenticated users to inject arbitrary web script or HTML via the `User-Agent` HTTP header. **Recommendations** For Liferay Portal version 4.3.6, consider restricting access to the Enterprise Admin Session Monitoring component until a fix is available. As a temporary workaround, avoid using the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal version 4.3.6 **Description** A cross-site scripting (XSS) issue exists in the Admin portlet, allowing remote authenticated users to inject arbitrary web script or HTML via the Shutdown message. **Recommendations** For Liferay Portal version 4.3.6, consider disabling the Admin portlet or restricting access to it until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions prior to 4.4.0 **Description** A cross-site request forgery (CSRF) issue exists in the Admin portlet of Liferay Portal, allowing remote authenticated users to perform actions as other authenticated users via the Shutdown message. **Recommendations** For versions prior to 4.4.0, update to version 4.4.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mortbay Jetty versions prior to 6.1.6rc1 **Description** The issue arises from improper handling of certain quote sequences in HTML cookie parameters, allowing remote attackers to hijack browser sessions. **Recommendations** For versions prior to 6.1.6rc1, update to version 6.1.6rc1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mortbay Jetty versions prior to 6.1.6rc0 **Description** The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. **Recommendations** For Mortbay Jetty versions prior to 6.1.6rc0, update to version 6.1.6rc0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mortbay Jetty versions prior to 6.1.6rc1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via unspecified parameters and cookies. **Recommendations** For Mortbay Jetty versions prior to 6.1.6rc1, update to version 6.1.6rc1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 4.0.0 through 4.0.6 Apache Tomcat versions 4.1.0 through 4.1.36 **Description** A cross-site scripting (XSS) issue exists in the SendMailServlet of the examples web application, allowing remote attackers to inject arbitrary web script or HTML via the `From` field and possibly other fields. This is related to the generation of error messages, which did not properly escape user-provided data. **Recommendations** For Apache Tomcat versions 4.0.0 through 4.0.6, consider undeploying the examples web application to mitigate the risk. For Apache Tomcat versions 4.1.0 through 4.1.36, consider undeploying the examples web application to mitigate the risk. As a temporary workaround, consider disabling the SendMailServlet until a patch is available.