CVE-2023-42497
Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page
9.6
CRITICAL
CVSS 3.1
EPSS 0.19%
Description
Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page before 2.0.86 from Liferay Portal (7.4.3.4 through 7.4.3.85), and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.
How to fix CVE-2023-42497
To remediate CVE-2023-42497, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.0.86 or later
- —upgrade to 7.4.13.u86 or later
Is CVE-2023-42497 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 7.4.0, <= 7.4.0 | >= 7.4-update1.0, <= 7.4-update1.0, >= 7.4-update21.0, <= 7.4-update21.0, >= 7.4-update34.0, <= 7.4-update34.0, >= 7.4-update36.0, <= 7.4-update36.0, >= 7.4-update41.0, <= 7.4-update41.0, >= 7.4-update48.0, <= 7.4-update48.0, >= 7.4-update50.0, <= 7.4-update50.0, >= 7.4-update52.0, <= 7.4-update52.0, >= 7.4-update62.0, <= 7.4-update62.0, >= 7.4-update67.0, <= 7.4-update67.0, >= 7.4-update76.0, <= 7.4-update76.0, >= 7.4-update81.0, <= 7.4-update81.0, >= 7.4-update82.0, <= 7.4-update82.0, >= 7.4-update83.0, <= 7.4-update83.0, >= 7.4-update84.0, <= 7.4-update84.0, >= 7.4-update85.0, <= 7.4-update85.0
- from 0, < 2.0.86
- >= 7.4.0, < 7.4.13.u86
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |