First published: Wed May 24 2023(Updated: )
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.3-fix_pack_1 | |
Liferay Digital Experience Platform | =7.3-fix_pack_2 | |
Liferay Liferay Portal | >=7.3.0<=7.4.0 | |
Liferay Digital Experience Platform | =7.3 | |
maven/com.liferay.portal:release.portal.bom | >=7.3.0<7.4.1 | 7.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-33938 is a Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14.
CVE-2023-33938 allows remote attackers to inject arbitrary web script or HTML into an App Builder custom object.
CVE-2023-33938 has a severity rating of 6.1, which is considered medium.
CVE-2023-33938 affects Liferay Portal versions 7.3.0 through 7.4.0 and Liferay DXP 7.3 before update 14.
To fix CVE-2023-33938, update Liferay Portal to version 7.4.0 or later, or Liferay DXP to update 14 or later.