Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01M213LTY5cXgtcTRmY84AAzdG
Cross-site scripting in Liferay Portal
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
Permalink: https://github.com/advisories/GHSA-53mw-69qx-q4fcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01M213LTY5cXgtcTRmY84AAzdG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-53mw-69qx-q4fc, CVE-2023-33939
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33939
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939
- https://github.com/advisories/GHSA-53mw-69qx-q4fc
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.1.0, < 7.4.3.13
Fixed in: 7.4.3.13
All affected versions: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2
All unaffected versions: 7.0.6