Security Listings

LIferay DXP 7.0 LIferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Liferay Portal 7.0 Liferay Portal 7.1 Liferay Portal 7.2 Liferay Portal 7.3 Liferay Portal 7.4

4.8

CVE-2023-37940 XSS with "Service Class" in Service Access Policy

Description

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

Severity

4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

Affected Version(s)

Liferay Portal 7.0.0 through 7.4.3.87
Liferay DXP 7.4 GA through update 87
Liferay DXP 7.3 GA through update 29
Liferay DXP 7.2
Liferay DXP 7.1
Liferay DXP 7.0

Fixed Version(s)

Liferay Portal 7.4.3.88
Liferay DXP 2023.Q3.1
Liferay DXP 7.4 update 88
Liferay DXP 7.3 update 30

Acknowledgments

This issue was reported by milCERT AT and Abderrahmane BOUNHIDJA

CVE-2023-37940

Publication Date:

oktober 30, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback