Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xMmN2LTdqNTgtcmZtas4AA5bF
Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting
Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.
Permalink: https://github.com/advisories/GHSA-q2cv-7j58-rfmjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xMmN2LTdqNTgtcmZtas4AA5bF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-q2cv-7j58-rfmj, CVE-2023-47795
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-47795
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795
- https://github.com/advisories/GHSA-q2cv-7j58-rfmj
Affected Packages
maven:com.liferay.portal:release.dxp.bom
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 7.4.13.u18, <= 7.4.13.u92, >= 2023.Q3, < 2023.Q3.6
Fixed in: 2023.Q3.6, 2023.Q3.6
All affected versions: 7.1.10, 7.2.1, 7.2.10, 7.3.10, 7.4.1-3.u2, 7.4.1-3.u3, 7.4.1-3.u4, 7.4.1-3.u5, 7.4.1-3.u6, 7.4.1-3.u7, 7.4.1-3.u8, 7.4.1-3.u9, 7.4.1-3.u18, 7.4.1-3.u19, 7.4.1-3.u20, 7.4.1-3.u21, 7.4.1-3.u22, 7.4.1-3.u23, 7.4.1-3.u24, 7.4.1-3.u25, 7.4.1-3.u26, 7.4.1-3.u27, 7.4.1-3.u28, 7.4.1-3.u29, 7.4.1-3.u30, 7.4.1-3.u31, 7.4.1-3.u32, 7.4.1-3.u33, 7.4.1-3.u34, 7.4.1-3.u35, 7.4.1-3.u36, 7.4.1-3.u37, 7.4.1-3.u38, 7.4.1-3.u39, 7.4.1-3.u40, 7.4.1-3.u41, 7.4.1-3.u42, 7.4.1-3.u43, 7.4.1-3.u44, 7.4.1-3.u45, 7.4.1-3.u46, 7.4.1-3.u47, 7.4.1-3.u48, 7.4.1-3.u49, 7.4.1-3.u50, 7.4.1-3.u51, 7.4.1-3.u52, 7.4.1-3.u53, 7.4.1-3.u54, 7.4.1-3.u55, 7.4.1-3.u56, 7.4.1-3.u57, 7.4.1-3.u58, 7.4.1-3.u59, 7.4.1-3.u60, 7.4.1-3.u61, 7.4.1-3.u62, 7.4.1-3.u63, 7.4.1-3.u64, 7.4.1-3.u65, 7.4.1-3.u66, 7.4.1-3.u67, 7.4.1-3.u68, 7.4.1-3.u69, 7.4.1-3.u70, 7.4.1-3.u71, 7.4.1-3.u72, 7.4.1-3.u73, 7.4.1-3.u74, 7.4.1-3.u75, 7.4.1-3.u76, 7.4.1-3.u77, 7.4.1-3.u78, 7.4.1-3.u79, 7.4.1-3.u80, 7.4.1-3.u81, 7.4.1-3.u82, 7.4.1-3.u83, 7.4.1-3.u84, 7.4.1-3.u85, 7.4.1-3.u86, 7.4.1-3.u87, 7.4.1-3.u88, 7.4.1-3.u89, 7.4.1-3.u90, 7.4.1-3.u91, 7.4.1-3.u92, 7.4.11, 7.4.12, 7.4.13
All unaffected versions:
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.4.3.18, <= 7.4.3.101
No known fixed version
All affected versions: