Description
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field
The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.
Severity
5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Version(s)
- Liferay Portal 7.2.0 through 7.4.3.111
- Liferay DXP 2023.Q4.0 through 2023.Q4.10
- Liferay DXP 2023.Q3.1 through 2023.Q3.8
- Liferay DXP 7.4
- Liferay DXP 7.3, and older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.112
- Liferay DXP 2024.Q1.1
- Liferay DXP 2023.Q3.9
Acknowledgments
This issue was reported by foobar7
Publication date: Tue, 05 Nov 2024 18:24:00 +0000