XSS in Liferay Dxp
CVE-2023-42628
Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.002 (36.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H.
Affected products
- Liferay Dxp — versions 7.0.10-de-83, 7.1.10, 7.2.10
- Liferay Portal — versions 7.1.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/conten… (vendor-advisory)
- www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay… (third-party-advisory, exploit)
Frequently asked questions
- What is CVE-2023-42628?
- CVE-2023-42628 is a critical-severity vulnerability in Liferay Dxp, classified under Cross-site Scripting. CVSS score: 9.0/10. Published 2023-10-17.
- How severe is CVE-2023-42628?
- Critical severity. CVSS v3 base score is 9.0 out of 10.
- Is CVE-2023-42628 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.