It was found that JavaServer Faces PortletBridge-based portlets using GenericPortlet's default resource serving did not restrict access to resources within the web application. An attacker could set the resource ID field of a URL to potentially bypass security constraints and gain access to restricted resources.
Red Hat would like to thank Liferay, Inc. for reporting this issue.
This issue has been addressed in the following products:
JBoss Portal 6.2.0
Via RHSA-2015:1226 https://rhn.redhat.com/errata/RHSA-2015-1226.html