LSV-669: Stored XSS with form name in form configuration

Affects versions

None

Fix versions

7.0 Fix Pack Version

None

7.1 Fix Pack Version

18

7.2 Fix Pack Version

5

7.3 Fix Pack Version

None

7.4 Fix Pack Version

None

CVE IDs

CVSS Base Score

CVSS Vector String

Description

Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.

Activity

Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Priority

Components

Zendesk Support

Created April 8, 2020 at 10:18 AM
Updated November 2, 2023 at 2:15 AM
Resolved May 23, 2023 at 9:01 PM