Lucene search

LiferayCVE-2023-42497

HistoryOct 17, 2023 - 8:15 a.m.

CVE-2023-42497

2023-10-1708:15:09

CWE-79

Liferay

web.nvd.nist.gov

cve-2023-42497

reflected xss

cross-site scripting

liferay portal

security vulnerability

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

28.8%

JSON

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect parameter.

Affected configurations

Nvd

Node

liferaydigital_experience_platformMatch7.4-

liferaydigital_experience_platformMatch7.4update1

liferaydigital_experience_platformMatch7.4update21

liferaydigital_experience_platformMatch7.4update34

liferaydigital_experience_platformMatch7.4update36

liferaydigital_experience_platformMatch7.4update41

liferaydigital_experience_platformMatch7.4update48

liferaydigital_experience_platformMatch7.4update50

liferaydigital_experience_platformMatch7.4update52

liferaydigital_experience_platformMatch7.4update62

liferaydigital_experience_platformMatch7.4update67

liferaydigital_experience_platformMatch7.4update76

liferaydigital_experience_platformMatch7.4update81

liferaydigital_experience_platformMatch7.4update82

liferaydigital_experience_platformMatch7.4update83

liferaydigital_experience_platformMatch7.4update84

liferaydigital_experience_platformMatch7.4update85

liferayliferay_portalRange7.4.3.4–7.4.3.86

VendorProductVersionCPE
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*

Vendor	Product	Version	CPE
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:-::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update1::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update21::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update34::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update36::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update41::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update48::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update50::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update52::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update62::::::

Rows per page:

1-10 of 181

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "DXP",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.13.u85",
        "status": "affected",
        "version": "7.4.13",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Portal",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.3.85",
        "status": "affected",
        "version": "7.4.3.4",
        "versionType": "maven"
      }
    ]
  }
]

References

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

28.8%

JSON

Related for CVE-2023-42497