6.1
CVE-2023-3193
- EPSS 0.18%
- Veröffentlicht 15.06.2023 04:15:34
- Zuletzt bearbeitet 09.01.2026 02:16:58
- Quelle security@liferay.com
- CVE-Watchlists
- Unerledigt
LoginCross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate70
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate71
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate72
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate73
Liferay ≫ Liferay Portal Version >= 7.4.3.70 < 7.4.3.74
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.395 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security@liferay.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.