Lucene search

LiferayCVE-2023-42629

HistoryOct 17, 2023 - 9:15 a.m.

CVE-2023-42629

2023-10-1709:15:10

CWE-79

Liferay

web.nvd.nist.gov

cve-2023-42629

stored xss

liferay portal

nvd

vulnerability

security

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.2%

JSON

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary’s ‘description’ text field.

Affected configurations

Nvd

Node

liferaydigital_experience_platformMatch7.4-

liferaydigital_experience_platformMatch7.4update1

liferaydigital_experience_platformMatch7.4update21

liferaydigital_experience_platformMatch7.4update34

liferaydigital_experience_platformMatch7.4update36

liferaydigital_experience_platformMatch7.4update41

liferaydigital_experience_platformMatch7.4update48

liferaydigital_experience_platformMatch7.4update50

liferaydigital_experience_platformMatch7.4update52

liferaydigital_experience_platformMatch7.4update62

liferaydigital_experience_platformMatch7.4update67

liferaydigital_experience_platformMatch7.4update76

liferaydigital_experience_platformMatch7.4update81

liferaydigital_experience_platformMatch7.4update82

liferaydigital_experience_platformMatch7.4update83

liferaydigital_experience_platformMatch7.4update84

liferaydigital_experience_platformMatch7.4update85

liferaydigital_experience_platformMatch7.4update86

liferayliferay_portalRange7.4.2–7.4.3.88

VendorProductVersionCPE
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*

Vendor	Product	Version	CPE
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:-::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update1::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update21::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update34::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update36::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update41::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update48::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update50::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update52::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update62::::::

Rows per page:

1-10 of 191

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "DXP",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.13.u87",
        "status": "affected",
        "version": "7.4.13",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Portal",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.3.87",
        "status": "affected",
        "version": "7.4.2",
        "versionType": "maven"
      }
    ]
  }
]

References

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629

www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.2%

JSON

Related for CVE-2023-42629