Protect Your Liferay Portal from Cross-Site Scripting Attacks

CVECVE-2023-42628
CVSScvssV3_1: 9
SourceCVE-2023-42628

Liferay Portal is a popular open source web content management and collaboration platform. Unfortunately, versions 7.1.0 through 7.4.3.87 are affected by a stored cross-site scripting (XSS) vulnerability in its Wiki widget.

Cross-site scripting attacks work by injecting malicious scripts into web pages viewed by other users. In this case, a hacker could craft a payload and insert it into the ‘Content’ text field of a wiki page. Then, when other users view that wiki page, the injected script would run in their browsers. This allows the attacker to potentially steal users’ login cookies and other sensitive information.

To exploit the vulnerability, a hacker only needs to get a user to view a specially crafted wiki page. They do not need direct access to the Liferay server. The injected script would run whenever any user loads that page, even administrators.

If you use an affected version of Liferay Portal, you should immediately update to the latest version that fixes this issue. Versions 7.1.0 through 7.4.3.87 are vulnerable, so be sure to update beyond those versions. You should also carefully review any wiki pages for suspicious content and consider disabling the Wiki widget if possible until you can update. Staying on top of software updates is one of the best ways to protect yourself from vulnerabilities like this.

References