CVE-2023-44309

Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
LiferayCNA
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
liferaydigital_experience_platform
7.4
liferaydigital_experience_platform
7.4:update1
liferaydigital_experience_platform
7.4:update21
liferaydigital_experience_platform
7.4:update34
liferaydigital_experience_platform
7.4:update36
liferaydigital_experience_platform
7.4:update41
liferaydigital_experience_platform
7.4:update48
liferaydigital_experience_platform
7.4:update50
liferaydigital_experience_platform
7.4:update52
liferayliferay_portal
7.4.2 ≤
𝑥
< 7.4.3.53
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309