CVE-2023-42496

CRITICAL

Liferay Portal 7.3.3-7.4.3.97 & DXP <2023.Q3.6/7.4.92/7.3.34 - XSS via RolesAdminPortlet tabs2

Title source: llm

Description

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496

Scores

CVSS v3 9.6

EPSS 0.0044

EPSS Percentile 63.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

com.liferay.portal/release.dxp.bom 7.4.10.ep1Maven

com.liferay.portal/release.portal.bom 7.3.3 - 7.4.3.98Maven

liferay/digital_experience_platform 7.3 (35 CPE variants)

liferay/digital_experience_platform 7.4 (13 CPE variants)

Published Feb 21, 2024

Tracked Since Feb 18, 2026