Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00Njh4LWZyY20tZ2h4Ns4AA5aB
Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting
Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field
Permalink: https://github.com/advisories/GHSA-468x-frcm-ghx6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Njh4LWZyY20tZ2h4Ns4AA5aB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-468x-frcm-ghx6, CVE-2023-40191
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-40191
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191
- https://github.com/advisories/GHSA-468x-frcm-ghx6
Affected Packages
maven:com.liferay.portal:release.dxp.bom
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 7.4.13.u44, <= 7.4.13.u92, >= 2023.Q3, < 2023.Q3.6
Fixed in: , 2023.Q3.6
All affected versions: 7.1.10, 7.2.1, 7.2.10, 7.3.10, 7.4.1-3.u5, 7.4.1-3.u6, 7.4.1-3.u7, 7.4.1-3.u8, 7.4.1-3.u9, 7.4.1-3.u44, 7.4.1-3.u45, 7.4.1-3.u46, 7.4.1-3.u47, 7.4.1-3.u48, 7.4.1-3.u49, 7.4.1-3.u50, 7.4.1-3.u51, 7.4.1-3.u52, 7.4.1-3.u53, 7.4.1-3.u54, 7.4.1-3.u55, 7.4.1-3.u56, 7.4.1-3.u57, 7.4.1-3.u58, 7.4.1-3.u59, 7.4.1-3.u60, 7.4.1-3.u61, 7.4.1-3.u62, 7.4.1-3.u63, 7.4.1-3.u64, 7.4.1-3.u65, 7.4.1-3.u66, 7.4.1-3.u67, 7.4.1-3.u68, 7.4.1-3.u69, 7.4.1-3.u70, 7.4.1-3.u71, 7.4.1-3.u72, 7.4.1-3.u73, 7.4.1-3.u74, 7.4.1-3.u75, 7.4.1-3.u76, 7.4.1-3.u77, 7.4.1-3.u78, 7.4.1-3.u79, 7.4.1-3.u80, 7.4.1-3.u81, 7.4.1-3.u82, 7.4.1-3.u83, 7.4.1-3.u84, 7.4.1-3.u85, 7.4.1-3.u86, 7.4.1-3.u87, 7.4.1-3.u88, 7.4.1-3.u89, 7.4.1-3.u90, 7.4.1-3.u91, 7.4.1-3.u92, 7.4.11, 7.4.12, 7.4.13
All unaffected versions:
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.4.3.44, <= 7.4.3.97
No known fixed version
All affected versions: