Stored Cross-Site Scripting Vulnerabilities in Liferay Portal by Liferay
CVE-2023-42627
Key Information:
Badges
What is CVE-2023-42627?
Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in the Commerce module of Liferay Portal versions ranging from 7.3.5 to 7.4.3.91, as well as in Liferay DXP 7.3 update 33 and earlier and 7.4 before update 92. These vulnerabilities allow attackers to exploit various user-input fields such as Shipping and Billing details, enabling them to inject arbitrary web scripts or malicious HTML payloads. Such vulnerabilities pose significant security risks, as they can facilitate the execution of harmful scripts in the browser context of users, potentially leading to data theft or unauthorized actions on behalf of the affected site.
Affected Version(s)
DXP 7.3.10 <= 7.3.10.*
DXP 7.4.13 <= 7.4.13.u91
Portal 7.3.5 <= 7.4.3.91
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved