CVE-2023-33939: XSS
First published: Wed May 24 2023(Updated: )
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
Credit: security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.liferay.portal:release.portal.bom | >=7.1.0<7.4.3.13 | 7.4.3.13 |
| Liferay DXP | =7.1 | |
| Liferay DXP | =7.1-fix_pack_1 | |
| Liferay DXP | =7.1-fix_pack_10 | |
| Liferay DXP | =7.1-fix_pack_11 | |
| Liferay DXP | =7.1-fix_pack_12 | |
| Liferay DXP | =7.1-fix_pack_13 | |
| Liferay DXP | =7.1-fix_pack_14 | |
| Liferay DXP | =7.1-fix_pack_15 | |
| Liferay DXP | =7.1-fix_pack_16 | |
| Liferay DXP | =7.1-fix_pack_17 | |
| Liferay DXP | =7.1-fix_pack_18 | |
| Liferay DXP | =7.1-fix_pack_19 | |
| Liferay DXP | =7.1-fix_pack_2 | |
| Liferay DXP | =7.1-fix_pack_20 | |
| Liferay DXP | =7.1-fix_pack_21 | |
| Liferay DXP | =7.1-fix_pack_22 | |
| Liferay DXP | =7.1-fix_pack_23 | |
| Liferay DXP | =7.1-fix_pack_24 | |
| Liferay DXP | =7.1-fix_pack_25 | |
| Liferay DXP | =7.1-fix_pack_26 | |
| Liferay DXP | =7.1-fix_pack_3 | |
| Liferay DXP | =7.1-fix_pack_4 | |
| Liferay DXP | =7.1-fix_pack_5 | |
| Liferay DXP | =7.1-fix_pack_6 | |
| Liferay DXP | =7.1-fix_pack_7 | |
| Liferay DXP | =7.1-fix_pack_8 | |
| Liferay DXP | =7.1-fix_pack_9 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_13 | |
| Liferay DXP | =7.2-fix_pack_14 | |
| Liferay DXP | =7.2-fix_pack_15 | |
| Liferay DXP | =7.2-fix_pack_16 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay DXP | =7.3-fix_pack_2 | |
| Liferay DXP | =7.4 | |
| Liferay DXP | =7.4-update1 | |
| Liferay 7.4 GA | >=7.1.0<=7.4.3.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-33939?
CVE-2023-33939 is a cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9.
What is the severity of CVE-2023-33939?
The severity of CVE-2023-33939 is medium, with a severity value of 5.4.
How does CVE-2023-33939 affect Liferay Digital Experience Platform?
CVE-2023-33939 affects Liferay Digital Experience Platform versions 7.1 and 7.2, before fix pack 27 and fix pack 18 respectively.
How does CVE-2023-33939 affect Liferay Portal?
CVE-2023-33939 affects Liferay Portal versions 7.1.0 through 7.4.3.12.
How can I fix CVE-2023-33939?
To fix CVE-2023-33939, update Liferay Digital Experience Platform to at least fix pack 27 (for 7.1) or fix pack 18 (for 7.2), and Liferay Portal to at least version 7.4.3.12.
- collector/github-advisory-latest
- alias/GHSA-53mw-69qx-q4fc
- alias/CVE-2023-33939
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-latest
- package-manager/maven
- vendor/liferay
- canonical/liferay dxp
- version/liferay dxp/7.1
- version/liferay dxp/7.1-fix_pack_1
- version/liferay dxp/7.1-fix_pack_10
- version/liferay dxp/7.1-fix_pack_11
- version/liferay dxp/7.1-fix_pack_12
- version/liferay dxp/7.1-fix_pack_13
- version/liferay dxp/7.1-fix_pack_14
- version/liferay dxp/7.1-fix_pack_15
- version/liferay dxp/7.1-fix_pack_16
- version/liferay dxp/7.1-fix_pack_17
- version/liferay dxp/7.1-fix_pack_18
- version/liferay dxp/7.1-fix_pack_19
- version/liferay dxp/7.1-fix_pack_2
- version/liferay dxp/7.1-fix_pack_20
- version/liferay dxp/7.1-fix_pack_21
- version/liferay dxp/7.1-fix_pack_22
- version/liferay dxp/7.1-fix_pack_23
- version/liferay dxp/7.1-fix_pack_24
- version/liferay dxp/7.1-fix_pack_25
- version/liferay dxp/7.1-fix_pack_26
- version/liferay dxp/7.1-fix_pack_3
- version/liferay dxp/7.1-fix_pack_4
- version/liferay dxp/7.1-fix_pack_5
- version/liferay dxp/7.1-fix_pack_6
- version/liferay dxp/7.1-fix_pack_7
- version/liferay dxp/7.1-fix_pack_8
- version/liferay dxp/7.1-fix_pack_9
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_13
- version/liferay dxp/7.2-fix_pack_14
- version/liferay dxp/7.2-fix_pack_15
- version/liferay dxp/7.2-fix_pack_16
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- version/liferay dxp/7.3-fix_pack_2
- version/liferay dxp/7.4
- version/liferay dxp/7.4-update1
- canonical/liferay 7.4 ga
- version/liferay 7.4 ga/7.1.0
- version/liferay 7.4 ga/7.4.3.12