WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-40191)

Description

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field

Remediation

References

Related Vulnerabilities

Undertow Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2021-20220)

ReviveAdserver Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2013-7149)

Drupal Other Vulnerability (CVE-2005-1871)

Oracle JRE CVE-2019-2999 Vulnerability (CVE-2019-2999)

WordPress Plugin Fancy Product Designer-WooCommerce Arbitrary File Upload (4.6.8)

Severity

Medium

Classification

CVE-2023-40191 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities