Lucene search

Veracode Vulnerability DatabaseVERACODE:40805

HistoryJun 06, 2023 - 10:40 a.m.

Cross-site Scripting (XSS)

2023-06-0610:40:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

software

xss

web script

html

facet widget

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

com.liferay.portal.search.web is vulnerable to Cross-site Scripting (XSS). The vulnerability exists in the modified facet widget, which allows an attacker to inject and execute malicious web script or HTML via a crafted payload through the facet label.

CPENameOperatorVersion
com.liferay.portal.search.weble6.0.35
com.liferay.portal.search.weble6.0.35

CPE	Name	Operator	Version
	com.liferay.portal.search.web	le	6.0.35
	com.liferay.portal.search.web	le	6.0.35

References

github.com/advisories/GHSA-53mw-69qx-q4fc

github.com/liferay/liferay-portal/commit/9e7c85ce9ed1dd07e1279362c44e27b74c4e5f16

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939