Cross-site scripting in Liferay Portal

2023-05-2415:30:27

Google

osv.dev

cross-site scripting

liferay portal

app builder

vulnerability

remote attackers

web script

html

payload

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.6%

JSON

Cross-site scripting (XSS) vulnerability in the App Builder module’s custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object’s Name field.

CPENameOperatorVersion
com.liferay.portal:release.portal.bomeq7.3.0-1
com.liferay.portal:release.portal.bomeq7.4.0
com.liferay.portal:release.portal.bomeq7.3.3
com.liferay.portal:release.portal.bomeq7.3.2
com.liferay.portal:release.portal.bomeq7.3.7
com.liferay.portal:release.portal.bomeq7.3.1
com.liferay.portal:release.portal.bomeq7.3.0
com.liferay.portal:release.portal.bomeq7.3.4
com.liferay.portal:release.portal.bomeq7.3.1-1
com.liferay.portal:release.portal.bomeq7.3.3-1

Name	Operator	Version
com.liferay.portal:release.portal.bom	eq	7.3.0-1
com.liferay.portal:release.portal.bom	eq	7.4.0
com.liferay.portal:release.portal.bom	eq	7.3.3
com.liferay.portal:release.portal.bom	eq	7.3.2
com.liferay.portal:release.portal.bom	eq	7.3.7
com.liferay.portal:release.portal.bom	eq	7.3.1
com.liferay.portal:release.portal.bom	eq	7.3.0
com.liferay.portal:release.portal.bom	eq	7.3.4
com.liferay.portal:release.portal.bom	eq	7.3.1-1
com.liferay.portal:release.portal.bom	eq	7.3.3-1