← Back

CVE-2023-40191

nvd nist
Published: Feb 21, 2024Modified: Jan 28, 2025

JSON object

Loading...
6.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field

Affected (56)

Liferay
2 products
Liferay Portal
Digital Experience Platform
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Liferay Portal
From 7.4.3.44 to 7.4.3.98
Configuration B
55 vulnerable
Vulnerable SoftwareAffected Versions
Liferay
Digital Experience Platform
Version 2023.q3.0
Digital Experience Platform
Version 2023.q3.1
Digital Experience Platform
Version 2023.q3.2
Digital Experience Platform
Version 2023.q3.3
Digital Experience Platform
Version 2023.q3.4
Digital Experience Platform
Version 2023.q3.5
Digital Experience Platform
Version 7.4 update44
Digital Experience Platform
Version 7.4 update45
Digital Experience Platform
Version 7.4 update46
Digital Experience Platform
Version 7.4 update47
Digital Experience Platform
Version 7.4 update48
Digital Experience Platform
Version 7.4 update49
Digital Experience Platform
Version 7.4 update50
Digital Experience Platform
Version 7.4 update51
Digital Experience Platform
Version 7.4 update52
Digital Experience Platform
Version 7.4 update53
Digital Experience Platform
Version 7.4 update54
Digital Experience Platform
Version 7.4 update55
Digital Experience Platform
Version 7.4 update56
Digital Experience Platform
Version 7.4 update57
Digital Experience Platform
Version 7.4 update58
Digital Experience Platform
Version 7.4 update59
Digital Experience Platform
Version 7.4 update60
Digital Experience Platform
Version 7.4 update61
Digital Experience Platform
Version 7.4 update62
Digital Experience Platform
Version 7.4 update63
Digital Experience Platform
Version 7.4 update64
Digital Experience Platform
Version 7.4 update65
Digital Experience Platform
Version 7.4 update66
Digital Experience Platform
Version 7.4 update67
Digital Experience Platform
Version 7.4 update68
Digital Experience Platform
Version 7.4 update69
Digital Experience Platform
Version 7.4 update70
Digital Experience Platform
Version 7.4 update71
Digital Experience Platform
Version 7.4 update72
Digital Experience Platform
Version 7.4 update73
Digital Experience Platform
Version 7.4 update74
Digital Experience Platform
Version 7.4 update75
Digital Experience Platform
Version 7.4 update76
Digital Experience Platform
Version 7.4 update77
Digital Experience Platform
Version 7.4 update78
Digital Experience Platform
Version 7.4 update79
Digital Experience Platform
Version 7.4 update80
Digital Experience Platform
Version 7.4 update81
Digital Experience Platform
Version 7.4 update82
Digital Experience Platform
Version 7.4 update83
Digital Experience Platform
Version 7.4 update84
Digital Experience Platform
Version 7.4 update85
Digital Experience Platform
Version 7.4 update86
Digital Experience Platform
Version 7.4 update87
Digital Experience Platform
Version 7.4 update88
Digital Experience Platform
Version 7.4 update89
Digital Experience Platform
Version 7.4 update90
Digital Experience Platform
Version 7.4 update91
Digital Experience Platform
Version 7.4 update92

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: security@liferay.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.