CVE-2023-33942 — Cross-site scripting in Liferay Portal

Description

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's `Title` field.

How to fix CVE-2023-33942

To remediate CVE-2023-33942, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.4.3.51 or later

Is CVE-2023-33942 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.4-update50.0, <= 7.4-update50.0
>= 7.4.3.50, < 7.4.3.51

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33942
PATCHgithub.com/liferay/liferay-portal
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33942