CVE-2023-47795 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=2023.q3 <2023.q3.6 || >=7.4.13.u18 <=7.4.13.u92

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00392 pctl0.59398

Details

Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.

Metadata

Created: 2024-02-21T15:30:45Z
Modified: 2025-01-28T22:23:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-q2cv-7j58-rfmj/GHSA-q2cv-7j58-rfmj.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-q2cv-7j58-rfmj
Finding: F425
Auto approve: 1