Stored XSS vulnerability in Liferay Portal
CVE-2023-47795

5.4MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

Summary

The vulnerability in Liferay Portal and DXP allows for a stored cross-site scripting (XSS) attack through the Document and Media widget. This flaw permits remote authenticated users to inject malicious web scripts or HTML content via a specially crafted payload inserted into a document's 'Title' text field. The affected versions include Liferay Portal 7.4.3.18 up to 7.4.3.101 and Liferay DXP 2023.Q3 before patch 6, exposing systems to potential breaches and unauthorized access.

Affected Version(s)

DXP 2023.q3.1 <= 2023.q3.5

DXP 7.4.13.u18 <= 7.4.13.u92

Portal 7.4.3.18 <= 7.4.3.101

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Nov 10, 2023

Credit

Erwin Krazek