CVE-2023-42498 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

CNA9.6

EPSS

0.4%

top 36.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedFeb 21

Description

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.3.8 — 7.4.3.98

▶CVEListV5liferay/portal7.4.3.8 — 7.4.3.97

▶CVEListV5liferay/dxp2023.q3.1 — 2023.q3.4+1

▶NVDliferay/digital_experience_platform6 versions+5

🔴Vulnerability Details

CVEList

CVE-2023-42498: Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7↗2024-02-21

▶

OSV

Liferay Portal Language Override edit screen and Liferay DXP vulnerable to reflected Cross-site Scripting↗2024-02-21

▶

GHSA

Liferay Portal Language Override edit screen and Liferay DXP vulnerable to reflected Cross-site Scripting↗2024-02-21

▶