Liferay Portal and DXP Users Beware of Stored XSS Vulnerability

CVECVE-2023-42629
CVSScvssV3_1: 9
SourceCVE-2023-42629

Liferay Portal and DXP, which are open source web content management and collaboration platforms, were found to have a stored cross-site scripting (XSS) vulnerability. Stored XSS occurs when a malicious actor is able to inject client-side script into the website by exploiting a vulnerable feature that displays user-supplied input.

In this case, the “description” field for vocabularies stored in Liferay was found to be vulnerable. A remote attacker could craft a malicious payload and enter it as the description text. Then, when other users viewed vocabularies or pages containing that description, the injected script would execute in their browsers. This allows the attacker to potentially steal users’ login cookies or other sensitive information.

The best way to protect yourself is to make sure your Liferay Portal or DXP installation is updated to the latest version that patches this vulnerability. You should also be cautious about entering any untrusted data into description or comment fields. Finally, consider using an ad blocker and script blocker in your browser to prevent malicious scripts from running. Staying on top of software updates is key to reducing the risk of these types of vulnerabilities.

References