Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NHB2LXI2MmotOXFxY84AA5aC
Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting
Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHB2LXI2MmotOXFxY84AA5aC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-54pv-r62j-9qqc, CVE-2023-42496
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-42496
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496
- https://github.com/advisories/GHSA-54pv-r62j-9qqc
Affected Packages
maven:com.liferay.portal:release.dxp.bom
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 2023.Q3, < 2023.Q3.6, >= 7.3.10.ep3, < 7.3.10.u34, >= 7.4.10.ep1, <= 7.4.13.u92
Fixed in: 2023.Q3.6, 7.3.10.u34,
All affected versions: 7.1.10, 7.2.1, 7.2.10, 7.3.1-0.ep3, 7.3.1-0.ep4, 7.3.1-0.ep5, 7.3.1-0.fp1, 7.3.1-0.fp2, 7.3.1-0.u10, 7.3.1-0.u11, 7.3.1-0.u12, 7.3.1-0.u13, 7.3.1-0.u14, 7.3.1-0.u15, 7.3.1-0.u16, 7.3.1-0.u17, 7.3.1-0.u18, 7.3.1-0.u19, 7.3.1-0.u19-1, 7.3.1-0.u20, 7.3.1-0.u20-1, 7.3.1-0.u21, 7.3.1-0.u21-1, 7.3.1-0.u22, 7.3.1-0.u22-1, 7.3.1-0.u23, 7.3.1-0.u24, 7.3.1-0.u25, 7.3.1-0.u26, 7.3.1-0.u27, 7.3.1-0.u28, 7.3.1-0.u29, 7.3.1-0.u30, 7.3.1-0.u31, 7.3.1-0.u32, 7.3.1-0.u33, 7.3.10, 7.4.1-0.ep1, 7.4.1-3.u1, 7.4.1-3.u2, 7.4.1-3.u3, 7.4.1-3.u4, 7.4.1-3.u5, 7.4.1-3.u6, 7.4.1-3.u7, 7.4.1-3.u8, 7.4.1-3.u9, 7.4.1-3.u10, 7.4.1-3.u15, 7.4.1-3.u16, 7.4.1-3.u17, 7.4.1-3.u18, 7.4.1-3.u19, 7.4.1-3.u20, 7.4.1-3.u21, 7.4.1-3.u22, 7.4.1-3.u23, 7.4.1-3.u24, 7.4.1-3.u25, 7.4.1-3.u26, 7.4.1-3.u27, 7.4.1-3.u28, 7.4.1-3.u29, 7.4.1-3.u30, 7.4.1-3.u31, 7.4.1-3.u32, 7.4.1-3.u33, 7.4.1-3.u34, 7.4.1-3.u35, 7.4.1-3.u36, 7.4.1-3.u37, 7.4.1-3.u38, 7.4.1-3.u39, 7.4.1-3.u40, 7.4.1-3.u41, 7.4.1-3.u42, 7.4.1-3.u43, 7.4.1-3.u44, 7.4.1-3.u45, 7.4.1-3.u46, 7.4.1-3.u47, 7.4.1-3.u48, 7.4.1-3.u49, 7.4.1-3.u50, 7.4.1-3.u51, 7.4.1-3.u52, 7.4.1-3.u53, 7.4.1-3.u54, 7.4.1-3.u55, 7.4.1-3.u56, 7.4.1-3.u57, 7.4.1-3.u58, 7.4.1-3.u59, 7.4.1-3.u60, 7.4.1-3.u61, 7.4.1-3.u62, 7.4.1-3.u63, 7.4.1-3.u64, 7.4.1-3.u65, 7.4.1-3.u66, 7.4.1-3.u67, 7.4.1-3.u68, 7.4.1-3.u69, 7.4.1-3.u70, 7.4.1-3.u71, 7.4.1-3.u72, 7.4.1-3.u73, 7.4.1-3.u74, 7.4.1-3.u75, 7.4.1-3.u76, 7.4.1-3.u77, 7.4.1-3.u78, 7.4.1-3.u79, 7.4.1-3.u80, 7.4.1-3.u81, 7.4.1-3.u82, 7.4.1-3.u83, 7.4.1-3.u84, 7.4.1-3.u85, 7.4.1-3.u86, 7.4.1-3.u87, 7.4.1-3.u88, 7.4.1-3.u89, 7.4.1-3.u90, 7.4.1-3.u91, 7.4.1-3.u92, 7.4.1-3.u100, 7.4.1-3.u101, 7.4.1-3.u102, 7.4.1-3.u112, 7.4.11, 7.4.12, 7.4.13
All unaffected versions:
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.3.3, <= 7.4.3.97
No known fixed version
All affected versions: 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2