GHSA-54pv-r62j-9qqc

Source

https://github.com/advisories/GHSA-54pv-r62j-9qqc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-54pv-r62j-9qqc/GHSA-54pv-r62j-9qqc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-54pv-r62j-9qqc

Aliases

CVE-2023-42496

Published

2024-02-21T03:30:37Z

Modified

2024-02-21T23:56:59.000534Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting

Details

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

Database specific

{
    "nvd_published_at": "2024-02-21T03:15:08Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T23:29:48Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.3

Last affected

7.4.3.97

Affected versions

7.*

7.3.3

7.3.3-1

7.3.4

7.3.5

7.3.6

7.3.7

7.4.0

7.4.1

7.4.1-1

7.4.2

7.4.2-1

7.4.3.4

7.4.3.5

7.4.3.6

7.4.3.7

7.4.3.8

7.4.3.9

7.4.3.10

7.4.3.11

7.4.3.12

7.4.3.13

7.4.3.14

7.4.3.15

7.4.3.16

7.4.3.17

7.4.3.18

7.4.3.19

7.4.3.20

7.4.3.20-ga20

7.4.3.21

7.4.3.21-ga21

7.4.3.22

7.4.3.23

7.4.3.24

7.4.3.25

7.4.3.26

7.4.3.27

7.4.3.28

7.4.3.29

7.4.3.30

7.4.3.31

7.4.3.32

7.4.3.33

7.4.3.34

7.4.3.35

7.4.3.36

7.4.3.37

7.4.3.38

7.4.3.39

7.4.3.40

7.4.3.41

7.4.3.42

7.4.3.43

7.4.3.44

7.4.3.45

7.4.3.46

7.4.3.47

7.4.3.48

7.4.3.49

7.4.3.50

7.4.3.51

7.4.3.52

7.4.3.53

7.4.3.54

7.4.3.55

7.4.3.56

7.4.3.57

7.4.3.58

7.4.3.59

7.4.3.60

7.4.3.60-ga60

7.4.3.61

7.4.3.61-ga61

7.4.3.62

7.4.3.63

7.4.3.64

7.4.3.65

7.4.3.66

7.4.3.67

7.4.3.68

7.4.3.69

7.4.3.70

7.4.3.71

7.4.3.72

7.4.3.73

7.4.3.74

7.4.3.75

7.4.3.76

7.4.3.77

7.4.3.78

7.4.3.79

7.4.3.80

7.4.3.81

7.4.3.82

7.4.3.83

7.4.3.84

7.4.3.85

7.4.3.85-ga85

7.4.3.86

7.4.3.87

7.4.3.88

7.4.3.89

7.4.3.90

7.4.3.91

7.4.3.92

7.4.3.93

7.4.3.94

7.4.3.95

7.4.3.95-1

7.4.3.96

7.4.3.97

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.10.ep1

Last affected

7.4.13.u92

Affected versions

7.*

7.4.10.ep1

7.4.11

7.4.12

7.4.13

7.4.13.u1

7.4.13.u2

7.4.13.u3

7.4.13.u4

7.4.13.u5

7.4.13.u6

7.4.13.u7

7.4.13.u8

7.4.13.u9

7.4.13.u10

7.4.13.u15

7.4.13.u16

7.4.13.u17

7.4.13.u18

7.4.13.u19

7.4.13.u20

7.4.13.u21

7.4.13.u22

7.4.13.u23

7.4.13.u24

7.4.13.u25

7.4.13.u26

7.4.13.u27

7.4.13.u28

7.4.13.u29

7.4.13.u30

7.4.13.u31

7.4.13.u32

7.4.13.u33

7.4.13.u34

7.4.13.u35

7.4.13.u36

7.4.13.u37

7.4.13.u38

7.4.13.u39

7.4.13.u40

7.4.13.u41

7.4.13.u42

7.4.13.u43

7.4.13.u44

7.4.13.u45

7.4.13.u46

7.4.13.u47

7.4.13.u48

7.4.13.u49

7.4.13.u50

7.4.13.u51

7.4.13.u52

7.4.13.u53

7.4.13.u54

7.4.13.u55

7.4.13.u56

7.4.13.u57

7.4.13.u58

7.4.13.u59

7.4.13.u60

7.4.13.u61

7.4.13.u62

7.4.13.u63

7.4.13.u64

7.4.13.u65

7.4.13.u66

7.4.13.u67

7.4.13.u68

7.4.13.u69

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76

7.4.13.u77

7.4.13.u78

7.4.13.u79

7.4.13.u80

7.4.13.u81

7.4.13.u82

7.4.13.u83

7.4.13.u84

7.4.13.u85

7.4.13.u86

7.4.13.u87

7.4.13.u88

7.4.13.u89

7.4.13.u90

7.4.13.u91

7.4.13.u92

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.10.ep3

Fixed

7.3.10.u34

Affected versions

7.*

7.3.10.ep3

7.3.10.ep4

7.3.10.ep5

7.3.10.fp1

7.3.10.fp2

7.3.10.u4

7.3.10.u5

7.3.10.u6

7.3.10.u7

7.3.10.u8

7.3.10.u9

7.3.10.u10

7.3.10.u11

7.3.10.u12

7.3.10.u13

7.3.10.u14

7.3.10.u15

7.3.10.u16

7.3.10.u17

7.3.10.u18

7.3.10.u19

7.3.10.u19-1

7.3.10.u20

7.3.10.u20-1

7.3.10.u21

7.3.10.u21-1

7.3.10.u22

7.3.10.u22-1

7.3.10.u23

7.3.10.u24

7.3.10.u25

7.3.10.u26

7.3.10.u27

7.3.10.u28

7.3.10.u29

7.3.10.u30

7.3.10.u31

7.3.10.u32

7.3.10.u33

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

GHSA-54pv-r62j-9qqc

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Affected ranges

Affected versions

7.*

Maven / com.liferay.portal:release.dxp.bom

Package

Affected ranges

Affected versions

7.*

Maven / com.liferay.portal:release.dxp.bom

Package

Affected ranges

Affected versions

7.*

Maven / com.liferay.portal:release.dxp.bom

Package

Affected ranges

Affected versions

2023.*