CVE-2014-2963

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in the group/control panel/manage section. The vulnerable parameters are firstName, lastName, and middleName.

Recommendations For Liferay Portal version 6.1.2 CE GA3, avoid using the parameters 2 firstName, 2 lastName, or 2 middleName in the group/control panel/manage section until a fix is available. For Liferay Portal version 6.1.X EE, restrict access to the group/control panel/manage section to minimize the risk of exploitation. For Liferay Portal version 6.2.X EE, consider disabling the group/control panel/manage functionality until a patch is available.