>> Liferay 6.2.3 CE GA4 OpenID XXE Injection

USER: deepcore // DATE: 2016-06-04 20:33 // MODIFIED: 2016-06-04

Liferay supports OpenID login which was found to make use of a version of openid4java that is vulnerable to XML External Entity (XXE) attacks. Liferay versions 6.2.3 CE GA4 and earlier are affected.