Arbitrary Script Injection Vulnerability in Liferay Portal
CVE-2023-42496

6.1MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

Summary

A reflected cross-site scripting vulnerability exists on the 'add assignees to a role' page of Liferay Portal and Liferay DXP products. This vulnerability occurs due to improper handling of the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter, enabling remote attackers to inject malicious web scripts or HTML. Successful exploitation of this vulnerability can lead to unauthorized actions and compromise the integrity of affected web applications, making it critical for users to apply the necessary patches and updates.

Affected Version(s)

DXP 2023.q3.1 <= 2023.q3.5

DXP 7.4.13 <= 7.4.13.u92

DXP 7.3.10 <= 7.3.10-dxp-33

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Sep 11, 2023

Credit

Amin ACHOUR