Liferay Portal vulnerable to reflected XSS
CVE-2023-40191

6.1MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

Summary

A reflected cross-site scripting vulnerability exists in Liferay Portal and Liferay DXP that enables remote attackers to exploit the 'Blocked Email Domains' input field. By crafting a malicious payload, attackers can inject arbitrary scripts or HTML, potentially leading to various forms of attacks on users. This vulnerability affects multiple releases of Liferay Portal from version 7.4.3.44 through 7.4.3.97, as well as Liferay DXP 2023.Q3 prior to patch number 6. Effective remediation measures should be employed to prevent exploitation.

Affected Version(s)

DXP 2023.q3.1 <= 2023.q3.5

DXP 7.4.13.u44 <= 7.4.13.u92

Portal 7.4.3.44 <= 7.4.3.97

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Aug 10, 2023

Credit

Amin ACHOUR