CVE-2014-3416 : Manage permissions ineffectual. Any user with SUBSCRIBE on portlet-admin can MANAGE any portlet through URL manipulation. MANAGE permission only filters what portlets are listed in the UI but does not prevent user from managing portlets.
More information about this vulnerability and how you can address it locally is at
Marked all uPortal 4 releases as affected as a guess. Unclear whether releases before 4 affected – would need to go look.
Addressed in uPortal 4.0.13-patches (branch soon to be pushed), in 4.0-patches towards 4.0.14, and in master.
for 188.8.131.52 : https://github.com/Jasig/uPortal/commit/8afed0f532a9f0057d42ea682e9a1f7858f51151 .
for 4.0.14 : https://github.com/Jasig/uPortal/commit/dd069c1728845b885f270ea96a4b8d1b5709a453
for master : https://github.com/Jasig/uPortal/commit/9e56eb6c1c6acb52ccd1f0de7f22f8ecf2a5bbfb
Correct CVE identifier digit transpose.