Cross-Site Scripting Vulnerability in Liferay Portal and DXP Products
CVE-2023-37940

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 17 December 2024

What is CVE-2023-37940?

CVE-2023-37940 is a Cross-Site Scripting (XSS) vulnerability affecting Liferay Portal versions 7.0.0 through 7.4.3.87, and Liferay DXP versions 7.4 GA through update 87, 7.3 GA through update 29, as well as older unsupported versions. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into a service access policy's 'Service Class' text field via a specially crafted payload. If exploited, this flaw could lead to unauthorized access, data theft, and various malicious activities, making it imperative for organizations using affected versions to apply the necessary patches immediately.

Affected Version(s)

DXP 7.0.10

DXP 7.1.10

DXP 7.2.10

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Jul 11, 2023

Credit

milCERT AT

Abderrahmane BOUNHIDJA