Description

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944

Related Vulnerabilities

CVE-2022-23712 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2017-5641 Vulnerability in maven package org.apache.flex.blazeds:flex-messaging-core

CVE-2019-10320 Vulnerability in maven package org.jenkins-ci.plugins:credentials

CVE-2021-45105 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2020-6506 Vulnerability in maven package org.webjars.npm:react-native-webview

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory