It was found that JavaServer Faces PortletBridge-based portlets using GenericPortlet's default resource serving did not restrict access to resources within the web application. An attacker could set the resource ID field of a URL to potentially bypass security constraints and gain access to restricted resources.
Acknowledgements: Red Hat would like to thank Liferay, Inc. for reporting this issue.
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1226 https://rhn.redhat.com/errata/RHSA-2015-1226.html