CVE-2023-42628

CRITICAL

Liferay DXP 7.0-7.4.3.87 Stored XSS in Wiki Widget Content Field

Title source: llm

Description

Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628

Exploit, Third Party Advisory third-party-advisory exploit

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

Scores

CVSS v3 9.0

EPSS 0.0016

EPSS Percentile 36.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (3)

com.liferay/com.liferay.wiki.web 0 - 7.0.95Maven

com.liferay.portal/release.dxp.bom 7.0.10.fp83Maven

liferay/digital_experience_platform 7.0 (48 CPE variants)

Published Oct 17, 2023

Tracked Since Feb 18, 2026