Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-7934Cross-site Scripting in Portal

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
3.3%
top 12.79%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Liferay Portal
Timeline
PublishedJan 28
Latest updateMay 24

Description

In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE versio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

NVDliferay/liferay_portal7.1.07.2.1

🔴Vulnerability Details

3
OSV
Liferay Portal Vulnerable to Persistent Cross-Site Scripting (XSS) in MyAccountPortlet2022-05-24
GHSA
Liferay Portal Vulnerable to Persistent Cross-Site Scripting (XSS) in MyAccountPortlet2022-05-24
CVEList
CVE-2020-7934: In LifeRay Portal CE 72020-01-28

💥Exploits & PoCs

1
Exploit-DB
LifeRay 7.2.1 GA2 - Stored XSS2020-11-23
CVE-2020-7934 — Cross-site Scripting in Liferay Portal | cvebase