CVE-2023-42629

CRITICAL

Liferay DXP 7.4.2-7.4.3.87 < update 88 - Stored XSS in Vocabulary Description

Title source: llm

Description

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629

Exploit, Third Party Advisory exploit third-party-advisory

https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/

Scores

CVSS v3 9.0

EPSS 0.0021

EPSS Percentile 43.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (4)

com.liferay/com.liferay.asset.categories.admin.web 0 - 5.0.87Maven

com.liferay.portal/release.dxp.bom 7.4.0 - 7.4.13.u88Maven

liferay/digital_experience_platform 7.4 (18 CPE variants)

liferay/liferay_portal 7.4.2 - 7.4.3.88

Published Oct 17, 2023

Tracked Since Feb 18, 2026