Description

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944

Related Vulnerabilities

CVE-2013-6447 Vulnerability in maven package org.jboss.seam:jboss-seam

CVE-2014-7810 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-jasper

CVE-2011-3375 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2023-26471 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-macro

CVE-2023-24445 Vulnerability in maven package org.jenkins-ci.plugins:openid

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory