critical
9.6
CWE
79
Advisory Published
Advisory Published
Updated

CVE-2023-42496: XSS

First published: Wed Feb 21 2024(Updated: )

Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter.

Credit: security@liferay.com security@liferay.com

Affected SoftwareAffected VersionHow to fix
maven/com.liferay.portal:release.portal.bom>=7.3.3<=7.4.3.97
7.4.3.98
maven/com.liferay.portal:release.dxp.bom>=2023.Q3<2023.Q3.6
2023.Q3.6
maven/com.liferay.portal:release.dxp.bom>=7.3.10.ep3<7.3.10.u34
7.3.10.u34
maven/com.liferay.portal:release.dxp.bom>=7.4.10.ep1<=7.4.13.u92
Liferay 7.4 GA>=7.3.3<7.4.3.98
Liferay DXP=7.3
Liferay DXP=7.3-fix_pack_1
Liferay DXP=7.3-fix_pack_2
Liferay DXP=7.3-service_pack_1
Liferay DXP=7.3-service_pack_3
Liferay DXP=7.3-update10
Liferay DXP=7.3-update11
Liferay DXP=7.3-update12
Liferay DXP=7.3-update13
Liferay DXP=7.3-update14
Liferay DXP=7.3-update15
Liferay DXP=7.3-update16
Liferay DXP=7.3-update17
Liferay DXP=7.3-update18
Liferay DXP=7.3-update19
Liferay DXP=7.3-update20
Liferay DXP=7.3-update21
Liferay DXP=7.3-update22
Liferay DXP=7.3-update23
Liferay DXP=7.3-update24
Liferay DXP=7.3-update25
Liferay DXP=7.3-update26
Liferay DXP=7.3-update27
Liferay DXP=7.3-update28
Liferay DXP=7.3-update29
Liferay DXP=7.3-update30
Liferay DXP=7.3-update31
Liferay DXP=7.3-update32
Liferay DXP=7.3-update33
Liferay DXP=7.3-update4
Liferay DXP=7.3-update5
Liferay DXP=7.3-update6
Liferay DXP=7.3-update7
Liferay DXP=7.3-update8
Liferay DXP=7.3-update9
Liferay DXP=7.4
Liferay DXP=7.4-update1
Liferay DXP=7.4-update10
Liferay DXP=7.4-update11
Liferay DXP=7.4-update12
Liferay DXP=7.4-update13
Liferay DXP=7.4-update14
Liferay DXP=7.4-update15
Liferay DXP=7.4-update16
Liferay DXP=7.4-update17
Liferay DXP=7.4-update18
Liferay DXP=7.4-update19
Liferay DXP=7.4-update2
Liferay DXP=7.4-update20
Liferay DXP=7.4-update21
Liferay DXP=7.4-update22
Liferay DXP=7.4-update23
Liferay DXP=7.4-update24
Liferay DXP=7.4-update25
Liferay DXP=7.4-update26
Liferay DXP=7.4-update27
Liferay DXP=7.4-update28
Liferay DXP=7.4-update29
Liferay DXP=7.4-update3
Liferay DXP=7.4-update30
Liferay DXP=7.4-update31
Liferay DXP=7.4-update32
Liferay DXP=7.4-update33
Liferay DXP=7.4-update34
Liferay DXP=7.4-update35
Liferay DXP=7.4-update36
Liferay DXP=7.4-update37
Liferay DXP=7.4-update38
Liferay DXP=7.4-update39
Liferay DXP=7.4-update4
Liferay DXP=7.4-update40
Liferay DXP=7.4-update41
Liferay DXP=7.4-update42
Liferay DXP=7.4-update43
Liferay DXP=7.4-update44
Liferay DXP=7.4-update45
Liferay DXP=7.4-update46
Liferay DXP=7.4-update47
Liferay DXP=7.4-update48
Liferay DXP=7.4-update49
Liferay DXP=7.4-update5
Liferay DXP=7.4-update50
Liferay DXP=7.4-update51
Liferay DXP=7.4-update52
Liferay DXP=7.4-update53
Liferay DXP=7.4-update54
Liferay DXP=7.4-update55
Liferay DXP=7.4-update56
Liferay DXP=7.4-update57
Liferay DXP=7.4-update58
Liferay DXP=7.4-update59
Liferay DXP=7.4-update6
Liferay DXP=7.4-update60
Liferay DXP=7.4-update61
Liferay DXP=7.4-update62
Liferay DXP=7.4-update63
Liferay DXP=7.4-update64
Liferay DXP=7.4-update65
Liferay DXP=7.4-update66
Liferay DXP=7.4-update67
Liferay DXP=7.4-update68
Liferay DXP=7.4-update69
Liferay DXP=7.4-update7
Liferay DXP=7.4-update70
Liferay DXP=7.4-update71
Liferay DXP=7.4-update72
Liferay DXP=7.4-update73
Liferay DXP=7.4-update74
Liferay DXP=7.4-update75
Liferay DXP=7.4-update76
Liferay DXP=7.4-update77
Liferay DXP=7.4-update78
Liferay DXP=7.4-update79
Liferay DXP=7.4-update8
Liferay DXP=7.4-update80
Liferay DXP=7.4-update81
Liferay DXP=7.4-update82
Liferay DXP=7.4-update83
Liferay DXP=7.4-update84
Liferay DXP=7.4-update85
Liferay DXP=7.4-update86
Liferay DXP=7.4-update87
Liferay DXP=7.4-update88
Liferay DXP=7.4-update89
Liferay DXP=7.4-update9
Liferay DXP=7.4-update90
Liferay DXP=7.4-update91
Liferay DXP=7.4-update92

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-42496?

    CVE-2023-42496 has a high severity rating due to its ability to allow remote attackers to inject arbitrary web scripts or HTML.

  • How do I fix CVE-2023-42496?

    To fix CVE-2023-42496, upgrade to Liferay Portal versions 7.4.3.98 or later, or 7.3.10.u34 or later.

  • What are the affected versions for CVE-2023-42496?

    CVE-2023-42496 affects Liferay Portal versions 7.3.3 through 7.4.3.97 and Liferay DXP versions up to 2023.Q3 before patch 6.

  • Can CVE-2023-42496 lead to data theft?

    Yes, CVE-2023-42496 can potentially lead to data theft by allowing an attacker to execute malicious scripts on a victim's browser.

  • Is CVE-2023-42496 being actively exploited?

    There are reports suggesting that CVE-2023-42496 might be actively exploited in the wild, which emphasizes the need for immediate remediation.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203