Description

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942

Related Vulnerabilities

CVE-2015-8855 Vulnerability in maven package org.webjars.npm:semver

CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap-sass

CVE-2013-1921 Vulnerability in maven package org.picketbox:jbosssx-bare

CVE-2023-46673 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2020-2305 Vulnerability in maven package org.jenkins-ci.plugins:mercurial

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory