Liferay Portal/DXP up to 7.4.3.87 Access Policy Page Service Class cross site scripting

Summaryinfo

A vulnerability was found in Liferay Portal and DXP up to 7.4.3.87. It has been rated as problematic. Affected by this vulnerability is an unknown functionality of the component Access Policy Page. The manipulation of the argument Service Class leads to cross site scripting. This vulnerability is uniquely identified as CVE-2023-37940. The attack is possible to be carried out remotely. No exploit exists.

Detailsinfo

A vulnerability was found in Liferay Portal and DXP up to 7.4.3.87. It has been rated as problematic. This issue affects an unknown function of the component Access Policy Page. The manipulation of the argument Service Class with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.

It is possible to read the advisory at liferay.dev. The identification of this vulnerability is CVE-2023-37940 since 07/11/2023. The exploitation is known to be easy. The attack may be initiated remotely. Additional levels of successful authentication are required for exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Enterprise Resource Planning Software

Vendor

• Liferay

Name

• DXP
• Portal

Version

• 7.4.3.0
• 7.4.3.1
• 7.4.3.2
• 7.4.3.3
• 7.4.3.4
• 7.4.3.5
• 7.4.3.6
• 7.4.3.7
• 7.4.3.8
• 7.4.3.9
• 7.4.3.10
• 7.4.3.11
• 7.4.3.12
• 7.4.3.13
• 7.4.3.14
• 7.4.3.15
• 7.4.3.16
• 7.4.3.17
• 7.4.3.18
• 7.4.3.19
• 7.4.3.20
• 7.4.3.21
• 7.4.3.22
• 7.4.3.23
• 7.4.3.24
• 7.4.3.25
• 7.4.3.26
• 7.4.3.27
• 7.4.3.28
• 7.4.3.29
• 7.4.3.30
• 7.4.3.31
• 7.4.3.32
• 7.4.3.33
• 7.4.3.34
• 7.4.3.35
• 7.4.3.36
• 7.4.3.37
• 7.4.3.38
• 7.4.3.39
• 7.4.3.40
• 7.4.3.41
• 7.4.3.42
• 7.4.3.43
• 7.4.3.44
• 7.4.3.45
• 7.4.3.46
• 7.4.3.47
• 7.4.3.48
• 7.4.3.49
• 7.4.3.50
• 7.4.3.51
• 7.4.3.52
• 7.4.3.53
• 7.4.3.54
• 7.4.3.55
• 7.4.3.56
• 7.4.3.57
• 7.4.3.58
• 7.4.3.59
• 7.4.3.60
• 7.4.3.61
• 7.4.3.62
• 7.4.3.63
• 7.4.3.64
• 7.4.3.65
• 7.4.3.66
• 7.4.3.67
• 7.4.3.68
• 7.4.3.69
• 7.4.3.70
• 7.4.3.71
• 7.4.3.72
• 7.4.3.73
• 7.4.3.74
• 7.4.3.75
• 7.4.3.76
• 7.4.3.77
• 7.4.3.78
• 7.4.3.79
• 7.4.3.80
• 7.4.3.81
• 7.4.3.82
• 7.4.3.83
• 7.4.3.84
• 7.4.3.85
• 7.4.3.86
• 7.4.3.87

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion