Liferay Portal fails to properly protect against Cross-Site Request Forgery (CSRF). This may allow a remote attacker to be able to forge requests that Liferay Portal takes action upon.
A remote attacker may be able to forge requests that the Liferay Portal takes action upon.
This issue is addressed in Liferay version 4.4.0, as specified in Liferay support document LEP-4739. Version 4.4.0 forces requests to be in POST format, which helps mitigate CSRF attacks.
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2008-01-31|
|Date Last Updated:||2008-01-31 20:20 UTC|