First published: Wed May 24 2023(Updated: )
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update1 | |
Liferay Digital Experience Platform | =7.4 | |
Liferay Liferay Portal | >=7.4.0<=7.4.3.30 | |
maven/com.liferay.portal:release.portal.bom | >=7.4.0<7.4.3.31 | 7.4.3.31 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The CVE ID for this vulnerability is CVE-2023-33940.
The severity of CVE-2023-33940 is medium with a CVSS score of 5.4.
The vulnerability in CVE-2023-33940 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
The affected software versions are Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31.
To fix the vulnerability in CVE-2023-33940, update to the latest version of Liferay Portal or Liferay DXP.