GHSA-q2cv-7j58-rfmj

Source

https://github.com/advisories/GHSA-q2cv-7j58-rfmj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-q2cv-7j58-rfmj/GHSA-q2cv-7j58-rfmj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q2cv-7j58-rfmj

Aliases

CVE-2023-47795

Published

2024-02-21T15:30:45Z

Modified

2025-01-28T22:33:41.257098Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal Document and Media widget and Liferay DXP vulnerable to stored Cross-site Scripting

Details

Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18 through 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's “Title” text field.

Database specific

{
    "nvd_published_at": "2024-02-21T14:15:45Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T23:18:59Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.3.18

Fixed

7.4.3.102

Affected versions

7.*

7.4.3.18

7.4.3.19

7.4.3.20

7.4.3.20-ga20

7.4.3.21

7.4.3.21-ga21

7.4.3.22

7.4.3.23

7.4.3.24

7.4.3.25

7.4.3.26

7.4.3.27

7.4.3.28

7.4.3.29

7.4.3.30

7.4.3.31

7.4.3.32

7.4.3.33

7.4.3.34

7.4.3.35

7.4.3.36

7.4.3.37

7.4.3.38

7.4.3.39

7.4.3.40

7.4.3.41

7.4.3.42

7.4.3.43

7.4.3.44

7.4.3.45

7.4.3.46

7.4.3.47

7.4.3.48

7.4.3.49

7.4.3.50

7.4.3.51

7.4.3.52

7.4.3.53

7.4.3.54

7.4.3.55

7.4.3.56

7.4.3.57

7.4.3.58

7.4.3.59

7.4.3.60

7.4.3.60-ga60

7.4.3.61

7.4.3.61-ga61

7.4.3.62

7.4.3.63

7.4.3.64

7.4.3.65

7.4.3.66

7.4.3.67

7.4.3.68

7.4.3.69

7.4.3.70

7.4.3.71

7.4.3.72

7.4.3.73

7.4.3.74

7.4.3.75

7.4.3.76

7.4.3.77

7.4.3.78

7.4.3.79

7.4.3.80

7.4.3.81

7.4.3.82

7.4.3.83

7.4.3.84

7.4.3.85

7.4.3.85-ga85

7.4.3.86

7.4.3.87

7.4.3.88

7.4.3.89

7.4.3.90

7.4.3.91

7.4.3.92

7.4.3.93

7.4.3.94

7.4.3.95

7.4.3.95-1

7.4.3.96

7.4.3.97

7.4.3.98

7.4.3.99

7.4.3.100

7.4.3.101

Database specific

{
    "last_known_affected_version_range": "<= 7.4.3.101"
}

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2023.Q3

Fixed

2023.Q3.6

Affected versions

2023.*

2023.q3.1

2023.q3.2

2023.q3.3

2023.q3.4

2023.q3.5

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.13.u18

Last affected

7.4.13.u92

Affected versions

7.*

7.4.13.u18

7.4.13.u19

7.4.13.u20

7.4.13.u21

7.4.13.u22

7.4.13.u23

7.4.13.u24

7.4.13.u25

7.4.13.u26

7.4.13.u27

7.4.13.u28

7.4.13.u29

7.4.13.u30

7.4.13.u31

7.4.13.u32

7.4.13.u33

7.4.13.u34

7.4.13.u35

7.4.13.u36

7.4.13.u37

7.4.13.u38

7.4.13.u39

7.4.13.u40

7.4.13.u41

7.4.13.u42

7.4.13.u43

7.4.13.u44

7.4.13.u45

7.4.13.u46

7.4.13.u47

7.4.13.u48

7.4.13.u49

7.4.13.u50

7.4.13.u51

7.4.13.u52

7.4.13.u53

7.4.13.u54

7.4.13.u55

7.4.13.u56

7.4.13.u57

7.4.13.u58

7.4.13.u59

7.4.13.u60

7.4.13.u61

7.4.13.u62

7.4.13.u63

7.4.13.u64

7.4.13.u65

7.4.13.u66

7.4.13.u67

7.4.13.u68

7.4.13.u69

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76

7.4.13.u77

7.4.13.u78

7.4.13.u79

7.4.13.u80

7.4.13.u81

7.4.13.u82

7.4.13.u83

7.4.13.u84

7.4.13.u85

7.4.13.u86

7.4.13.u87

7.4.13.u88

7.4.13.u89

7.4.13.u90

7.4.13.u91

7.4.13.u92