Description

Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33939

Related Vulnerabilities

CVE-2023-34189 Vulnerability in maven package org.apache.inlong:manager-service

CVE-2022-36894 Vulnerability in maven package org.jenkins-ci.plugins:clif-performance-testing

CVE-2018-1000105 Vulnerability in maven package org.jenkins-ci.plugins:gerrit-trigger

CVE-2023-40037 Vulnerability in maven package org.apache.nifi:nifi-dbcp-service-api

CVE-2017-5645 Vulnerability in maven package org.apache.logging.log4j:log4j

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory