com.liferay:com.liferay.layout.taglib 2.2.27 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.liferay:com.liferay.layout.taglib package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `getSuccessMessage` field in the embedded message form container. An attacker can execute arbitrary JavaScript in the context of the affected application by submitting crafted input to this field. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay:com.liferay.layout.taglib` to version 16.1.33 or higher.	[,16.1.33)
L Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `name` field of `layoutClassedModelUsagesDisplayContext`. An attacker can execute arbitrary JavaScript code in the context of another user by injecting a malicious payload that is reflected and executed when the "Document View Usages" page is viewed. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay:com.liferay.layout.taglib` to version 16.1.33 or higher.	[,16.1.33)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `openResultToast()` function in `InfoItemActionHandler.js`, accessible via `layout-taglib/__liferay__/index.js`. An attacker can inject scripts by manipulating the `toastData` parameter. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay:com.liferay.layout.taglib` to version 16.1.23 or higher.	[,16.1.23)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure due to the improper handling of the `doAsUserId` URL parameter when creating linked content using the WYSIWYG editor and while impersonating a user. An attacker can impersonate a user after accessing the linked content by exploiting the leakage of this parameter. How to fix Information Exposure? Upgrade `com.liferay:com.liferay.layout.taglib` to version 6.1.0 or higher.	[,6.1.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field. How to fix Cross-site Scripting (XSS)? Upgrade `com.liferay:com.liferay.layout.taglib` to version 13.1.3 or higher.	[,13.1.3)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the getSuccessMessage field in the embedded message form container. An attacker can execute arbitrary JavaScript in the context of the affected application by submitting crafted input to this field.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay:com.liferay.layout.taglib to version 16.1.33 or higher.

[,16.1.33)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the name field of layoutClassedModelUsagesDisplayContext. An attacker can execute arbitrary JavaScript code in the context of another user by injecting a malicious payload that is reflected and executed when the "Document View Usages" page is viewed.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay:com.liferay.layout.taglib to version 16.1.33 or higher.

[,16.1.33)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the openResultToast() function in InfoItemActionHandler.js, accessible via layout-taglib/__liferay__/index.js. An attacker can inject scripts by manipulating the toastData parameter.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay:com.liferay.layout.taglib to version 16.1.23 or higher.

[,16.1.23)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to the improper handling of the doAsUserId URL parameter when creating linked content using the WYSIWYG editor and while impersonating a user. An attacker can impersonate a user after accessing the linked content by exploiting the leakage of this parameter.

How to fix Information Exposure?

Upgrade com.liferay:com.liferay.layout.taglib to version 6.1.0 or higher.

[,6.1.0)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's URL text field.

How to fix Cross-site Scripting (XSS)?

Upgrade com.liferay:com.liferay.layout.taglib to version 13.1.3 or higher.

[,13.1.3)

com.liferay:com.liferay.layout.taglib@2.2.27 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically