CVE-2023-44310

CRITICAL

Liferay DXP 7.3.6-7.4.3.78 & 7.3 FP1-23 & 7.4 < U79 - Stored XSS in Page Tree Menu

Title source: llm

Description

Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44310

Scores

CVSS v3 9.0

EPSS 0.0020

EPSS Percentile 41.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (5)

com.liferay/com.liferay.layout.impl 0 - 6.0.102Maven

com.liferay.portal/release.dxp.bom 7.3.10.fp1Maven

liferay/digital_experience_platform 7.1 fix_pack_1 (23 CPE variants)

liferay/digital_experience_platform 7.4 (12 CPE variants)

liferay/liferay_portal 7.3.6 - 7.4.3.49

Published Oct 17, 2023

Tracked Since Feb 18, 2026