Description

Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33938

Related Vulnerabilities

CVE-2020-13949 Vulnerability in maven package org.apache.thrift:libthrift

CVE-2023-34465 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authorization-bridge

CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-bundle-jaxrs

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core

CVE-2019-10301 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory