CVE-2017-1000425Cross-site Scripting in Portal

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 50.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Liferay Portal
Timeline
PublishedJan 2
Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVDliferay/liferay_portal< 7.0.3_ga4

Patches

Patch: dev.liferay.comPatch: github.comPatch: dev.liferay.com

🔴Vulnerability Details

3
OSV
Liferay Portal XSS vulnerability via movie parameter in the /html/portal/flash.jsp page2022-05-14
GHSA
Liferay Portal XSS vulnerability via movie parameter in the /html/portal/flash.jsp page2022-05-14
CVEList
CVE-2017-1000425: Cross-site scripting (XSS) vulnerability in the /html/portal/flash2018-01-02
CVE-2017-1000425 — Cross-site Scripting in Portal | cvebase