Cross-Site Scripting Vulnerability in Liferay Portal and DXP Products
CVE-2023-37940
4.8MEDIUM
What is CVE-2023-37940?
CVE-2023-37940 is a Cross-Site Scripting (XSS) vulnerability affecting Liferay Portal versions 7.0.0 through 7.4.3.87, and Liferay DXP versions 7.4 GA through update 87, 7.3 GA through update 29, as well as older unsupported versions. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into a service access policy's 'Service Class' text field via a specially crafted payload. If exploited, this flaw could lead to unauthorized access, data theft, and various malicious activities, making it imperative for organizations using affected versions to apply the necessary patches immediately.
Affected Version(s)
DXP 7.0.10
DXP 7.1.10
DXP 7.2.10