Stored Cross-Site Scripting Vulnerabilities in Liferay Portal by Liferay
CVE-2023-42627

9.6CRITICAL

Key Information:

Vendor

Liferay

Status
Vendor
CVE Published:
17 October 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-42627?

Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in the Commerce module of Liferay Portal versions ranging from 7.3.5 to 7.4.3.91, as well as in Liferay DXP 7.3 update 33 and earlier and 7.4 before update 92. These vulnerabilities allow attackers to exploit various user-input fields such as Shipping and Billing details, enabling them to inject arbitrary web scripts or malicious HTML payloads. Such vulnerabilities pose significant security risks, as they can facilitate the execution of harmful scripts in the browser context of users, potentially leading to data theft or unauthorized actions on behalf of the affected site.

Affected Version(s)

DXP 7.3.10 <= 7.3.10.*

DXP 7.4.13 <= 7.4.13.u91

Portal 7.3.5 <= 7.4.3.91

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Oelke
.
CVE-2023-42627 : Stored Cross-Site Scripting Vulnerabilities in Liferay Portal by Liferay