LSV-669: Stored XSS with form name in form configuration
Affects versions
None
7.0 Fix Pack Version
None
7.1 Fix Pack Version
18
7.2 Fix Pack Version
5
7.3 Fix Pack Version
None
7.4 Fix Pack Version
None
CVE IDs
CVE-2023-33937
CVSS Base Score
5.4
CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
Activity
Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
EE Support
EE SupportReporter
Enterprise Release HU
Enterprise Release HUPriority
LowComponents
Zendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Created April 8, 2020 at 10:18 AM
Updated November 2, 2023 at 2:15 AM
Resolved May 23, 2023 at 9:01 PM
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.