Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
24 Oct 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
References | (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309 - Vendor Advisory | |
First Time |
Liferay digital Experience Platform
Liferay liferay Portal Liferay |
|
CWE | CWE-79 |
17 Oct 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-17 09:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-44309
Mitre link : CVE-2023-44309
CVE.ORG link : CVE-2023-44309
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')