advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xMmN2LTdqNTgtcmZtas4AA5bF

Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting

Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.

Permalink: https://github.com/advisories/GHSA-q2cv-7j58-rfmj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xMmN2LTdqNTgtcmZtas4AA5bF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 12 months ago
Updated: 8 days ago


CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Percentage: 0.00048
EPSS Percentile: 0.2035

Identifiers: GHSA-q2cv-7j58-rfmj, CVE-2023-47795
References: Blast Radius: 13.8

Affected Packages

maven:com.liferay.portal:release.dxp.bom
Dependent packages: 0
Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 7.4.13.u18, <= 7.4.13.u92, >= 2023.Q3, < 2023.Q3.6
Fixed in: , 2023.Q3.6
All affected versions: 7.1.10, 7.2.1, 7.2.10, 7.3.10, 7.4.1-3.u2, 7.4.1-3.u3, 7.4.1-3.u4, 7.4.1-3.u5, 7.4.1-3.u6, 7.4.1-3.u7, 7.4.1-3.u8, 7.4.1-3.u9, 7.4.1-3.u18, 7.4.1-3.u19, 7.4.1-3.u20, 7.4.1-3.u21, 7.4.1-3.u22, 7.4.1-3.u23, 7.4.1-3.u24, 7.4.1-3.u25, 7.4.1-3.u26, 7.4.1-3.u27, 7.4.1-3.u28, 7.4.1-3.u29, 7.4.1-3.u30, 7.4.1-3.u31, 7.4.1-3.u32, 7.4.1-3.u33, 7.4.1-3.u34, 7.4.1-3.u35, 7.4.1-3.u36, 7.4.1-3.u37, 7.4.1-3.u38, 7.4.1-3.u39, 7.4.1-3.u40, 7.4.1-3.u41, 7.4.1-3.u42, 7.4.1-3.u43, 7.4.1-3.u44, 7.4.1-3.u45, 7.4.1-3.u46, 7.4.1-3.u47, 7.4.1-3.u48, 7.4.1-3.u49, 7.4.1-3.u50, 7.4.1-3.u51, 7.4.1-3.u52, 7.4.1-3.u53, 7.4.1-3.u54, 7.4.1-3.u55, 7.4.1-3.u56, 7.4.1-3.u57, 7.4.1-3.u58, 7.4.1-3.u59, 7.4.1-3.u60, 7.4.1-3.u61, 7.4.1-3.u62, 7.4.1-3.u63, 7.4.1-3.u64, 7.4.1-3.u65, 7.4.1-3.u66, 7.4.1-3.u67, 7.4.1-3.u68, 7.4.1-3.u69, 7.4.1-3.u70, 7.4.1-3.u71, 7.4.1-3.u72, 7.4.1-3.u73, 7.4.1-3.u74, 7.4.1-3.u75, 7.4.1-3.u76, 7.4.1-3.u77, 7.4.1-3.u78, 7.4.1-3.u79, 7.4.1-3.u80, 7.4.1-3.u81, 7.4.1-3.u82, 7.4.1-3.u83, 7.4.1-3.u84, 7.4.1-3.u85, 7.4.1-3.u86, 7.4.1-3.u87, 7.4.1-3.u88, 7.4.1-3.u89, 7.4.1-3.u90, 7.4.1-3.u91, 7.4.1-3.u92, 7.4.11, 7.4.12, 7.4.13
All unaffected versions:
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5
Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.4.3.18, <= 7.4.3.101
Fixed in: 7.4.3.102
All affected versions:
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2