Project Security

The following security issues have been identified and addressed:

Version 3.1.0

  • CVEID: CVE-2019-0186

    DESCRIPTION: The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks.

    Versions Affected:
    3.0.0, 3.0.1

    Mitigation:
    * Uninstall the ChatRoomDemo war file
    - or -
    * migrate to version 3.1.0 of the chat-room-demo war file

Version 3.0.1

  • CVEID: CVE-2018-1306

    DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

    Versions Affected:
    3.0.0

    Mitigation:
    * Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file
    - or -
    * migrate to version 3.0.1

  • CVEID: CVE-2015-1926

    DESCRIPTION: The Java Portlet Specification API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

    Versions Affected:
    2.0.0
    3.0.0

    Mitigation:
    * migrate to version 3.0.1