Description

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33944

Related Vulnerabilities

CVE-2023-49276 Vulnerability in npm package uptime-kuma

CVE-2016-0782 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2015-1807 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-27902 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory