Arbitrary Script Injection Vulnerability in Liferay Portal
CVE-2023-42498

6.1MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; DXP
Vendor: CVE Published:; 21 February 2024

Summary

A reflected cross-site scripting vulnerability exists in the Language Override edit screen of Liferay Portal and Liferay DXP. This issue affects Liferay Portal versions 7.4.3.8 to 7.4.3.97 and Liferay DXP 2023.Q3 prior to patch 5, as well as Liferay Portal 7.4 update 4 through 92. Attackers can exploit this vulnerability by injecting arbitrary web scripts or HTML code via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter, potentially compromising the security of the affected systems and users.

Affected Version(s)

DXP 2023.q3.1 <= 2023.q3.4

DXP 7.4.13.u4 <= 7.4.13.u92

Portal 7.4.3.8 <= 7.4.3.97

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Sep 11, 2023

Credit

Amin ACHOUR