23 May 2014
uPortal 4.0.13.1 Announcement
Apereo has released uPortal 4.0.13.1, which is uPortal 4.0.13 with security fixes to properly enforce MANAGE and CONFIG permissions.
Prior to this release, portlet administration permissions are bugged such that
- CVE-2014-31463416 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
- CVE-2014-31473417 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.
...