Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.
Attack Vector Network
Attack Complexity Low
Privileges Required Low
Scope Changed
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
User Interaction Required
No CVSS v3.0
No CVSS v2
Vendors | Products |
---|---|
Liferay |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628 | Vendor Advisory |
https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Liferay
Published: 2023-10-17T11:52:45.867Z
Updated: 2023-11-10T02:32:30.141Z
Reserved: 2023-09-12T05:35:42.826Z
Link: CVE-2023-42628
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-10-17T12:15:10.043
Modified: 2023-12-28T16:13:28.370
Link: CVE-2023-42628
JSON object: View
Redhat Information
No data.
CWE