PT-2023-24580 · Liferay · Liferay Dxp+1
Published
2023-05-24
·
Updated
2026-01-30
·
CVE-2023-33939
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.1.0 through 7.4.3.12
Liferay DXP versions 7.1.0 through 7.1 before fix pack 27
Liferay DXP versions 7.2.0 through 7.2 before fix pack 18
Liferay DXP versions 7.3.0 through 7.3 before update 4
Liferay DXP versions 7.4.0 through 7.4 before update 9
Description
A cross-site scripting (XSS) issue in the Modified Facet widget allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label. This enables attackers to execute malicious scripts on the client-side.
Recommendations
For Liferay Portal versions 7.1.0 through 7.4.3.12, update to a version after 7.4.3.12 or apply the necessary fix.
For Liferay DXP version 7.1, apply fix pack 27 or later.
For Liferay DXP version 7.2, apply fix pack 18 or later.
For Liferay DXP version 7.3, apply update 4 or later.
For Liferay DXP version 7.4, apply update 9 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal