CVE-2023-42628Cross-site Scripting in Portal

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
CNA9.0
EPSS
0.2%
top 63.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay PortalLiferay DXPLiferay Portal+1 more
Timeline
PublishedOct 17

Description

Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

NVDliferay/liferay_portal7.1.07.4.3.88
CVEListV5liferay/portal7.1.07.4.3.87
CVEListV5liferay/dxp7.0.10-de-837.0.10-*+4

🔴Vulnerability Details

3
GHSA
Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget2023-10-17
OSV
Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget2023-10-17
CVEList
CVE-2023-42628: Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 72023-10-17
CVE-2023-42628 — Cross-site Scripting in Liferay Portal | cvebase