Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-3670Cross-site Scripting in Portal

CWE-79Cross-site Scripting6 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
9.3%
top 7.25%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Liferay Portal
Timeline
PublishedJun 13
Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

3
OSV
Liferay Portal Vulnerable to XSS in Profile Search Functionality2022-05-17
GHSA
Liferay Portal Vulnerable to XSS in Profile Search Functionality2022-05-17
CVEList
CVE-2016-3670: Cross-site scripting (XSS) vulnerability in users2016-06-13

💥Exploits & PoCs

1
Exploit-DB
Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting2016-06-02
CVE-2016-3670 — Cross-site Scripting in Liferay Portal | cvebase