Liferay 3: Attackers could steal the sessions of your users with the following technique.

5 March 2018

The vulnerability in this article has been corrected in the Liferay's current, latest version. We consider it extremely important to keep the used system up-to-date. The following article shows an example of a vulnerability in an outdated Liferay version.

If you are logged in to a vulnerable system, then you are only one click away from getting your session stolen. Just a question: have you clicked a shortened url recently?

Level of security risk: Medium

An attacker could run arbitrary client side (JavaScript) code in the victim’s browser, hence stealing his/her cookies and his/her session. If the victim has administrator roles, then the attacker could run arbitrary code on the server too.
More details:

An attacker could act in the name of an other user and with the given user’s privileges.

Proof of concept:
Open the following link in Firefox: