CVE-2023-33938

Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
LiferayCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
liferaydigital_experience_platform
7.3
liferaydigital_experience_platform
7.3:update1
liferaydigital_experience_platform
7.3:update10
liferaydigital_experience_platform
7.3:update11
liferaydigital_experience_platform
7.3:update12
liferaydigital_experience_platform
7.3:update13
liferaydigital_experience_platform
7.3:update2
liferaydigital_experience_platform
7.3:update3
liferaydigital_experience_platform
7.3:update4
liferaydigital_experience_platform
7.3:update5
liferaydigital_experience_platform
7.3:update6
liferaydigital_experience_platform
7.3:update7
liferaydigital_experience_platform
7.3:update8
liferaydigital_experience_platform
7.3:update9
liferayliferay_portal
7.3.0 ≤
𝑥
≤ 7.3.7
liferayliferay_portal
7.4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938