Base Score

MEDIUM6.1

CVE-2023-42498

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

VectorNETWORK

Published Bysecurity@liferay.com

Published DateFeb 21, 2024, 03:15

Affected Versions(3)

com.liferay.portal:release.portal.bom(Maven)

Introduced7.4.3.8

Fixed7.4.3.98

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced2023.Q3

Fixed2023.Q3.5

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.4.13.u4

FixedN/A

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.liferay.portal:release.portal.bom(Maven)	7.4.3.8	7.4.3.98	N/A
com.liferay.portal:release.dxp.bom(Maven)	2023.Q3	2023.Q3.5	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.4.13.u4	N/A	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498

Base Score

MEDIUM6.1

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE