CVE-2023-37940

MEDIUM

Liferay Portal 7.0.0-7.4.3.87 & DXP 7.4 GA-87, 7.3 GA-29 - Stored XSS via Service Access Policy

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2023-37940

Scores

CVSS v3 4.8

EPSS 0.0018

EPSS Percentile 38.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

com.liferay.portal/release.dxp.bom 7.0 - 7.3.10.u30Maven

com.liferay.portal/release.portal.bom 7.0.0 - 7.4.3.88Maven

liferay/digital_experience_platform 7.3 (31 CPE variants)

liferay/digital_experience_platform 7.4 (17 CPE variants)

Published Dec 17, 2024

Tracked Since Feb 18, 2026