Lucene search

LiferayCVE-2023-42627

HistoryOct 17, 2023 - 1:15 p.m.

CVE-2023-42627

2023-10-1713:15:11

CWE-79

Liferay

web.nvd.nist.gov

cve-2023

42627

liferay portal

dxp

xss vulnerabilities

web security

stored xss

remote attacks

nvd

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.2%

JSON

Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.

Affected configurations

Nvd

Node

liferaydigital_experience_platformMatch7.3-

liferaydigital_experience_platformMatch7.3fix_pack_1

liferaydigital_experience_platformMatch7.3fix_pack_2

liferaydigital_experience_platformMatch7.3update14

liferaydigital_experience_platformMatch7.4-

liferaydigital_experience_platformMatch7.4update1

liferaydigital_experience_platformMatch7.4update21

liferaydigital_experience_platformMatch7.4update34

liferaydigital_experience_platformMatch7.4update36

liferaydigital_experience_platformMatch7.4update41

liferaydigital_experience_platformMatch7.4update48

liferaydigital_experience_platformMatch7.4update50

liferaydigital_experience_platformMatch7.4update52

liferaydigital_experience_platformMatch7.4update62

liferaydigital_experience_platformMatch7.4update67

liferaydigital_experience_platformMatch7.4update76

liferaydigital_experience_platformMatch7.4update81

liferaydigital_experience_platformMatch7.4update82

liferaydigital_experience_platformMatch7.4update83

liferaydigital_experience_platformMatch7.4update84

liferaydigital_experience_platformMatch7.4update85

liferaydigital_experience_platformMatch7.4update86

liferayliferay_portalRange7.3.5–7.4.3.92

VendorProductVersionCPE
liferaydigital_experience_platform7.3cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*
liferaydigital_experience_platform7.3cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*
liferaydigital_experience_platform7.3cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*
liferaydigital_experience_platform7.3cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*
liferaydigital_experience_platform7.4cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*

Vendor	Product	Version	CPE
liferay	digital_experience_platform	7.3	cpe:2.3:a:liferay:digital_experience_platform:7.3:-::::::
liferay	digital_experience_platform	7.3	cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1::::::
liferay	digital_experience_platform	7.3	cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2::::::
liferay	digital_experience_platform	7.3	cpe:2.3:a:liferay:digital_experience_platform:7.3:update14::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:-::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update1::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update21::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update34::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update36::::::
liferay	digital_experience_platform	7.4	cpe:2.3:a:liferay:digital_experience_platform:7.4:update41::::::

Rows per page:

1-10 of 231

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "DXP",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.3.10.*",
        "status": "affected",
        "version": "7.3.10",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "7.4.13.u91",
        "status": "affected",
        "version": "7.4.13",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Portal",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.3.91",
        "status": "affected",
        "version": "7.3.5",
        "versionType": "maven"
      }
    ]
  }
]

References

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627

www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.2%

JSON

Related for CVE-2023-42627