Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

How to protect the portal against Bootstrap: CVE-2019-8331 vulnerability

Written By

Roberto Díaz

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Liferay 7.0 uses a Bootstrap versión that has this vulnerability:
    • CVE-2019-8331 - XSS is possible in the tooltip or popover data-template attribute.
      Bootstrap issue 20184 - XSS in data-target attribute.

Environment

  • Liferay DXP 7.0

Resolution

  • You should be able to get protection against these vulnerability by activating the official Liferay solution for sanitizing content called AntiSamy, please find more details here: AntiSamy.
  • To get full protection on all portlets, the solution we suggest is to deactivate the whitelisting for com.liferay.journal.model.JournalArticle (all other portlets are already whitelisted by default).
  • Go to:
    • Control Panel > Configuration > System Settings > Foundation > AntiSamy Sanitizer.
    • Remove com.liferay.journal.model.JournalArticle from the whitelist.
  • Once this has been done, the Web Content portlets will sanitize XSS before publication and will no longer allow malicious content.
  • Please note:
    • The change won't be applied to already published contents, which will have to be re-published in order to be sanitized.
    • This could imply an automatic modification to the current content (if it has to be sanitized).

Additional Information

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?