CVE-2023-42627

17.10.2023, 13:15

Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.6 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Liferay	CNA	9.6 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
liferay	digital_experience_platform	7.3
liferay	digital_experience_platform	7.3:fix_pack_1
liferay	digital_experience_platform	7.3:fix_pack_2
liferay	digital_experience_platform	7.3:update14
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4:update1
liferay	digital_experience_platform	7.4:update21
liferay	digital_experience_platform	7.4:update34
liferay	digital_experience_platform	7.4:update36
liferay	digital_experience_platform	7.4:update41
liferay	digital_experience_platform	7.4:update48
liferay	digital_experience_platform	7.4:update50
liferay	digital_experience_platform	7.4:update52
liferay	digital_experience_platform	7.4:update62
liferay	digital_experience_platform	7.4:update67
liferay	digital_experience_platform	7.4:update76
liferay	digital_experience_platform	7.4:update81
liferay	digital_experience_platform	7.4:update82
liferay	digital_experience_platform	7.4:update83
liferay	digital_experience_platform	7.4:update84
liferay	digital_experience_platform	7.4:update85
liferay	digital_experience_platform	7.4:update86
liferay	liferay_portal	7.3.5 ≤ 𝑥 < 7.4.3.92

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42627

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/