Description
The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/04/08/5
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/04/11/9
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/03/29/1
Issue Tracking, Vendor Advisory x_refsource_confirm
http://issues.liferay.com/browse/LPS-13762
Issue Tracking, Release Notes, Vendor Advisory x_refsource_confirm
http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952
Scores
EPSS
0.0066
EPSS Percentile
71.3%
Details
CWE
CWE-200
Status
published
Products (1)
liferay/liferay_portal
5.1.0 - 5.1.2
Published
May 07, 2011
Tracked Since
Feb 18, 2026