Description

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944

Related Vulnerabilities

CVE-2021-39236 Vulnerability in maven package org.apache.ozone:ozone-main

CVE-2010-3718 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-48240 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authentication-api

CVE-2019-10474 Vulnerability in maven package org.jenkins-ci.plugins:global-post-script

CVE-2018-1256 Vulnerability in maven package io.pivotal.spring.cloud:spring-cloud-sso-connector

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory