VYPR
Get started
← All advisories
Critical severityNVD Advisory· Published Oct 17, 2023· Updated Aug 2, 2024

CVE-2023-42629

CVE-2023-42629

Description

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.asset.categories.admin.webMaven
< 5.0.875.0.87
com.liferay.portal:release.dxp.bomMaven
>= 7.4.0, < 7.4.13.u887.4.13.u88

Affected products

2

Patches

1
2e02110747dd

LPS-191047 Escape description

https://github.com/liferay/liferay-portalEudaldo AlonsoJul 20, 2023via ghsa
commit
1 file changed · +1 1
  • modules/apps/asset/asset-categories-admin-web/src/main/resources/META-INF/resources/view.jsp+1 1 modified
    @@ -263,7 +263,7 @@
 						<c:if test="<%= Validator.isNotNull(description) %>">
 							<div class="mb-2">
 								<span class="mr-1"><liferay-ui:message key="description" />:</span>
-								<span class="text-break text-secondary"><%= description %></span>
+								<span class="text-break text-secondary"><%= HtmlUtil.escape(description) %></span>
 							</div>
 						</c:if>
 					</div>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.