CVE-2017-1000425

Name of the Vulnerable Software and Affected Versions Liferay Portal CE versions prior to 7.0 GA4

Description A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a javascript: URI in the movie parameter in the "/html/portal/flash.jsp" page.

Recommendations For versions prior to 7.0 GA4, update to a version newer than 7.0 GA4 to resolve the issue. As a temporary workaround, consider restricting access to the "/html/portal/flash.jsp" page and avoid using the movie parameter until the issue is resolved.