critical
9.6
CWE
79
Advisory Published
Advisory Published
Updated

CVE-2023-42498: XSS

First published: Wed Feb 21 2024(Updated: )

Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter.

Credit: security@liferay.com security@liferay.com

Affected SoftwareAffected VersionHow to fix
maven/com.liferay.portal:release.portal.bom>=7.4.3.8<=7.4.3.97
7.4.3.98
maven/com.liferay.portal:release.dxp.bom>=7.4.13.u4<=7.4.13.u92
maven/com.liferay.portal:release.dxp.bom>=2023.Q3<2023.Q3.5
2023.Q3.5
Liferay 7.4 GA>=7.4.3.8<7.4.3.98
Liferay DXP=7.4-update10
Liferay DXP=7.4-update11
Liferay DXP=7.4-update12
Liferay DXP=7.4-update13
Liferay DXP=7.4-update14
Liferay DXP=7.4-update15
Liferay DXP=7.4-update16
Liferay DXP=7.4-update17
Liferay DXP=7.4-update18
Liferay DXP=7.4-update19
Liferay DXP=7.4-update20
Liferay DXP=7.4-update21
Liferay DXP=7.4-update22
Liferay DXP=7.4-update23
Liferay DXP=7.4-update24
Liferay DXP=7.4-update25
Liferay DXP=7.4-update26
Liferay DXP=7.4-update27
Liferay DXP=7.4-update28
Liferay DXP=7.4-update29
Liferay DXP=7.4-update30
Liferay DXP=7.4-update31
Liferay DXP=7.4-update32
Liferay DXP=7.4-update33
Liferay DXP=7.4-update34
Liferay DXP=7.4-update35
Liferay DXP=7.4-update36
Liferay DXP=7.4-update37
Liferay DXP=7.4-update38
Liferay DXP=7.4-update39
Liferay DXP=7.4-update4
Liferay DXP=7.4-update40
Liferay DXP=7.4-update41
Liferay DXP=7.4-update42
Liferay DXP=7.4-update43
Liferay DXP=7.4-update44
Liferay DXP=7.4-update45
Liferay DXP=7.4-update46
Liferay DXP=7.4-update47
Liferay DXP=7.4-update48
Liferay DXP=7.4-update49
Liferay DXP=7.4-update5
Liferay DXP=7.4-update50
Liferay DXP=7.4-update51
Liferay DXP=7.4-update52
Liferay DXP=7.4-update53
Liferay DXP=7.4-update54
Liferay DXP=7.4-update55
Liferay DXP=7.4-update56
Liferay DXP=7.4-update57
Liferay DXP=7.4-update58
Liferay DXP=7.4-update59
Liferay DXP=7.4-update6
Liferay DXP=7.4-update60
Liferay DXP=7.4-update61
Liferay DXP=7.4-update62
Liferay DXP=7.4-update63
Liferay DXP=7.4-update64
Liferay DXP=7.4-update65
Liferay DXP=7.4-update66
Liferay DXP=7.4-update67
Liferay DXP=7.4-update68
Liferay DXP=7.4-update69
Liferay DXP=7.4-update7
Liferay DXP=7.4-update70
Liferay DXP=7.4-update71
Liferay DXP=7.4-update72
Liferay DXP=7.4-update73
Liferay DXP=7.4-update74
Liferay DXP=7.4-update75
Liferay DXP=7.4-update76
Liferay DXP=7.4-update77
Liferay DXP=7.4-update78
Liferay DXP=7.4-update79
Liferay DXP=7.4-update8
Liferay DXP=7.4-update80
Liferay DXP=7.4-update81
Liferay DXP=7.4-update82
Liferay DXP=7.4-update83
Liferay DXP=7.4-update84
Liferay DXP=7.4-update85
Liferay DXP=7.4-update86
Liferay DXP=7.4-update87
Liferay DXP=7.4-update88
Liferay DXP=7.4-update89
Liferay DXP=7.4-update9
Liferay DXP=7.4-update90
Liferay DXP=7.4-update91
Liferay DXP=7.4-update92
Liferay DXP=2023.q3.0
Liferay DXP=2023.q3.1
Liferay DXP=2023.q3.2
Liferay DXP=2023.q3.3
Liferay DXP=2023.q3.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-42498?

    CVE-2023-42498 is classified as a high severity reflected cross-site scripting (XSS) vulnerability.

  • How do I fix CVE-2023-42498?

    To mitigate CVE-2023-42498, update to Liferay Portal version 7.4.3.98 or later, or Liferay DXP version 2023.Q3.5 or later.

  • What versions are affected by CVE-2023-42498?

    CVE-2023-42498 affects Liferay Portal versions 7.4.3.8 through 7.4.3.97 and Liferay DXP 2023.Q3 prior to patch 5.

  • What are the potential impacts of CVE-2023-42498?

    Exploitation of CVE-2023-42498 could allow attackers to inject arbitrary web scripts or HTML, leading to unauthorized actions on behalf of users.

  • Where can I find more information about CVE-2023-42498?

    Additional details regarding CVE-2023-42498 can be found in official security advisories from Liferay and related cybersecurity platforms.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203