Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/liferay/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2023.Q3.1"
},
{
"last_affected": "2023.Q3.10"
},
{
"introduced": "2023.q4.0"
},
{
"last_affected": "2023.q4.10"
},
{
"introduced": "2024.q1.1"
},
{
"last_affected": "2024.q1.12"
},
{
"introduced": "2024.q2.0"
},
{
"last_affected": "2024.q2.13"
}
],
"vendor_product": "liferay:digital_experience_platform",
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:2024.q3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.4-update82"
},
{
"last_affected": "7.4-update82"
},
{
"introduced": "7.4-update83"
},
{
"last_affected": "7.4-update83"
},
{
"introduced": "7.4-update84"
},
{
"last_affected": "7.4-update84"
},
{
"introduced": "7.4-update85"
},
{
"last_affected": "7.4-update85"
},
{
"introduced": "7.4-update86"
},
{
"last_affected": "7.4-update86"
},
{
"introduced": "7.4-update87"
},
{
"last_affected": "7.4-update87"
},
{
"introduced": "7.4-update88"
},
{
"last_affected": "7.4-update88"
},
{
"introduced": "7.4-update89"
},
{
"last_affected": "7.4-update89"
},
{
"introduced": "7.4-update90"
},
{
"last_affected": "7.4-update90"
},
{
"introduced": "7.4-update91"
},
{
"last_affected": "7.4-update91"
},
{
"introduced": "7.4-update92"
},
{
"last_affected": "7.4-update92"
},
{
"introduced": "2024.q3.0"
},
{
"last_affected": "2024.q3.0"
}
],
"vendor_product": "liferay:digital_experience_platform",
"source": "CPE_STRING"
}
]
}