CVE-2023-42497

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
LiferayCNA
9.6 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
liferaydigital_experience_platform
7.4
liferaydigital_experience_platform
7.4:update1
liferaydigital_experience_platform
7.4:update21
liferaydigital_experience_platform
7.4:update34
liferaydigital_experience_platform
7.4:update36
liferaydigital_experience_platform
7.4:update41
liferaydigital_experience_platform
7.4:update48
liferaydigital_experience_platform
7.4:update50
liferaydigital_experience_platform
7.4:update52
liferaydigital_experience_platform
7.4:update62
liferaydigital_experience_platform
7.4:update67
liferaydigital_experience_platform
7.4:update76
liferaydigital_experience_platform
7.4:update81
liferaydigital_experience_platform
7.4:update82
liferaydigital_experience_platform
7.4:update83
liferaydigital_experience_platform
7.4:update84
liferaydigital_experience_platform
7.4:update85
liferayliferay_portal
7.4.3.4 ≤
𝑥
< 7.4.3.86
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
liferaydxp
7.4.13 ≤
𝑥
≤ 7.4.13.u85
CNA
liferaydxp
7.4.3.4 ≤
𝑥
≤ 7.4.3.85
CNA
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42497