CVE-2023-44310 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA9.0

EPSS

0.2%

top 57.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 17

Description

Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDliferay/liferay_portal7.3.6 — 7.4.3.49

▶CVEListV5liferay/portal7.3.6 — 7.4.3.78

▶CVEListV5liferay/dxp7.3.10.sp1 — 7.3.10.u23+1

▶NVDliferay/digital_experience_platform7.1, 7.4+1

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu↗2023-10-17

▶

CVEList

CVE-2023-44310: Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7↗2023-10-17

▶

OSV

Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu↗2023-10-17

▶