Vulnerability Details : CVE-2011-1503
The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
Vulnerability category: Information leak
Products affected by CVE-2011-1503
- Liferay » Liferay Portal » Community EditionVersions from including (>=) 5.2.0 and up to, including, (<=) 5.2.3cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*
- Liferay » Liferay Portal » Community EditionVersions from including (>=) 6.0.0 and up to, including, (<=) 6.0.5cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*
- Liferay » Liferay Portal » Community EditionVersions from including (>=) 5.1.0 and up to, including, (<=) 5.1.2cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-1503
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-1503
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2011-1503
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-1503
-
http://openwall.com/lists/oss-security/2011/04/08/5
oss-security - Re: CVE requests : Liferay 6.0.6Mailing List;Third Party Advisory
-
http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952
Release Notes - Liferay IssuesIssue Tracking;Release Notes;Vendor Advisory
-
http://openwall.com/lists/oss-security/2011/04/11/9
oss-security - Re: CVE requests : Liferay 6.0.6Mailing List;Third Party Advisory
-
http://openwall.com/lists/oss-security/2011/03/29/1
oss-security - CVE requests : Liferay 6.0.6Mailing List;Third Party Advisory
-
http://issues.liferay.com/browse/LPS-13762
[LPS-13762] XSL Content Portlet can utilize file:/// to potentially access files on the system - Liferay IssuesIssue Tracking;Vendor Advisory
Jump to