Description

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939

Related Vulnerabilities

CVE-2014-3527 Vulnerability in maven package org.springframework.security:spring-security-cas

CVE-2022-36897 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage

CVE-2010-1330 Vulnerability in maven package org.jruby.jcodings:jcodings

CVE-2020-17527 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2019-12421 Vulnerability in maven package org.apache.nifi:nifi-web-api

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory