First published: Wed May 24 2023(Updated: )
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.liferay.portal:release.portal.bom | >=7.3.4<7.4.3.69 | 7.4.3.69 |
Liferay Digital Experience Platform | =7.3 | |
Liferay Digital Experience Platform | =7.3-fix_pack_1 | |
Liferay Digital Experience Platform | =7.3-fix_pack_2 | |
Liferay Digital Experience Platform | =7.4 | |
Liferay Digital Experience Platform | =7.4-update1 | |
Liferay Digital Experience Platform | =7.4-update21 | |
Liferay Digital Experience Platform | =7.4-update34 | |
Liferay Digital Experience Platform | =7.4-update36 | |
Liferay Digital Experience Platform | =7.4-update41 | |
Liferay Digital Experience Platform | =7.4-update50 | |
Liferay Digital Experience Platform | =7.4-update52 | |
Liferay Digital Experience Platform | =7.4-update62 | |
Liferay Liferay Portal | >=7.3.4<=7.4.3.68 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-33944 is a cross-site scripting (XSS) vulnerability in the Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69.
The severity of CVE-2023-33944 is medium, with a severity value of 6.1.
CVE-2023-33944 allows remote attackers to inject arbitrary web script or HTML into a container type layout fragment's URL, leading to potential cross-site scripting attacks.
CVE-2023-33944 affects Liferay Portal versions 7.3.4 through 7.4.3.68.
To fix CVE-2023-33944, it is recommended to update Liferay Portal to version 7.4.3.69 or the latest available patch.