Stored Cross-Site Scripting Vulnerability in Liferay Portal and DXP Products
CVE-2023-44310

9CRITICAL

Key Information:

Vendor: Liferay
Status: Dxp; Portal
Vendor: CVE Published:; 17 October 2023

What is CVE-2023-44310?

A stored cross-site scripting (XSS) vulnerability has been identified in Liferay Portal and Liferay DXP, specifically affecting versions 7.3.6 through 7.4.3.78 and 7.3 fix pack 1 through update 23, as well as 7.4 prior to update 79. This vulnerability allows remote attackers to inject malicious web scripts or HTML into the page's 'Name' text field using a specially crafted payload.

Affected Version(s)

DXP 7.3.10.sp1 <= 7.3.10.u23

DXP 7.4.13 <= 7.4.13.u78

Portal 7.3.6 <= 7.4.3.78

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2023
Vulnerability Reserved
Sep 28, 2023