CVE-2023-33943 XSS with user name in account

Description

Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.

Severity

5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Version(s)

Liferay DXP 7.4 update 21 through 62
Liferay Portal 7.4.3.21 - 7.4.3.62

Fixed Version(s)

Liferay DXP 7.4 update 63
Liferay Portal 7.4.3.63

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)