CVE-2023-40191

EPSS 0.39%
Published 21.02.2024 03:15:07
Last modified 28.01.2025 21:18:13
Source security@liferay.com
Teams watchlist Login
Open Login

Reflected cross-site scripting (XSS) vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the “Blocked Email Domains” text field

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Liferay ≫ Liferay Portal Version >= 7.4.3.44 < 7.4.3.98

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate44

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate45

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate46

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate47

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate48

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate49

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate50

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate51

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate52

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate53

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate54

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate55

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate56

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate57

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate58

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate59

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate60

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate61

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate62

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate63

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate64

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate65

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate66

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate67

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate68

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate69

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate70

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate71

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate72

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate73

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate74

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate75

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate76

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate77

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate78

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate79

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate80

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate81

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate82

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate83

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate84

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate85

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate86

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate87

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate88

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate89

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate90

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate91

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate92

Liferay ≫ Digital Experience Platform Version2023.q3.0

Liferay ≫ Digital Experience Platform Version2023.q3.1

Liferay ≫ Digital Experience Platform Version2023.q3.2

Liferay ≫ Digital Experience Platform Version2023.q3.3

Liferay ≫ Digital Experience Platform Version2023.q3.4

Liferay ≫ Digital Experience Platform Version2023.q3.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.39%	0.593

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@liferay.com	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-40191

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40191

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40191

EUVD