Security Listings

LIferay DXP 7.0 LIferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Liferay Portal 7.1 Liferay Portal 7.2 Liferay Portal 7.3 Liferay Portal 7.4

9.0

CVE-2023-42628 XSS with child wiki pages

Description

Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.

Severity

9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Affected Version(s)

Liferay DXP 7.0 fix pack 83 and above
Liferay DXP 7.1
Liferay DXP 7.2
Liferay DXP 7.3
Liferay DXP 7.4 before update 88
Liferay Portal 7.1.0 through 7.4.3.87

Fixed Version(s)

Liferay DXP 7.3 update 34
Liferay DXP 7.4 update 88
Liferay Portal 7.4.3.88

Acknowledgments

This issue was reported by Michael Oelke

CVE-2023-42628

Publication Date:

d’octubre 13, 2023

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback