Description

Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938

Related Vulnerabilities

CVE-2014-0003 Vulnerability in maven package org.apache.camel:camel-core

CVE-2020-10721 Vulnerability in maven package io.fabric8:fabric8-maven-plugin-core

CVE-2020-15841 Vulnerability in maven package com.liferay:com.liferay.portal.settings.authentication.ldap.web

CVE-2020-2113 Vulnerability in maven package org.jenkins-ci.tools:git-parameter

CVE-2021-36373 Vulnerability in maven package org.apache.ant:ant

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory