CVE-2018-10795

Name of the Vulnerable Software and Affected Versions Liferay versions 6.2.x and earlier

Description The issue concerns an FCKeditor configuration that may allow an attacker to upload or transfer files of potentially dangerous types. These files can be automatically processed within the product's environment via specific URI paths, such as "browser/liferay/browser.html?Type=" or "html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html". It's noted that the vendor disputes this issue, citing that file upload is an expected feature subject to Role Based Access Control checks, which restrict uploads to authenticated users with proper permissions.

Recommendations For Liferay versions 6.2.x and earlier, consider restricting access to the FCKeditor file upload feature to minimize the risk of exploitation, ensuring that only authenticated users with proper permissions can upload files. Additionally, review and enforce Role Based Access Control checks to prevent unauthorized file uploads.