CVE-2023-42629

Description

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in the Asset Categories Admin Web module before 5.0.87 from Liferay Portal (7.4.2 through 7.4.3.87), and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

How to fix CVE-2023-42629

To remediate CVE-2023-42629, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 5.0.87 or later
• —upgrade to 7.4.13.u88 or later

Is CVE-2023-42629 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 7.4.0, <= 7.4.0 | >= 7.4-update1.0, <= 7.4-update1.0, >= 7.4-update21.0, <= 7.4-update21.0, >= 7.4-update34.0, <= 7.4-update34.0, >= 7.4-update36.0, <= 7.4-update36.0, >= 7.4-update41.0, <= 7.4-update41.0, >= 7.4-update48.0, <= 7.4-update48.0, >= 7.4-update50.0, <= 7.4-update50.0, >= 7.4-update52.0, <= 7.4-update52.0, >= 7.4-update62.0, <= 7.4-update62.0, >= 7.4-update67.0, <= 7.4-update67.0, >= 7.4-update76.0, <= 7.4-update76.0, >= 7.4-update81.0, <= 7.4-update81.0, >= 7.4-update82.0, <= 7.4-update82.0, >= 7.4-update83.0, <= 7.4-update83.0, >= 7.4-update84.0, <= 7.4-update84.0, >= 7.4-update85.0, <= 7.4-update85.0, >= 7.4-update86.0, <= 7.4-update86.0
• from 0, < 5.0.87
• >= 7.4.0, < 7.4.13.u88

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-42629
• PATCHgithub.com/liferay/liferay-portal
• WEBgithub.com/liferay/liferay-portal/commit/2e02110747dd5cccb978623545bfa1f3ad0a5602
• WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629