Miggo Logo
Miggo Vulnerability Database
CVE-2023-33938

CVE-2023-33938: Cross-site scripting in Liferay Portal

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-33938
GHSA ID
GHSA-wvhw-5m89-64gv
EPSS Score
0.27577%
CWE
CWE-79
Published
5/24/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay.portal:release.portal.bommaven>= 7.3.0, < 7.4.17.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability reports and advisories do not include specific code examples, commit diffs, or file paths that would allow identification of exact vulnerable functions. While the vulnerability mechanism (XSS via unescaped Name field in App Builder) is clear, Liferay's implementation details for custom object rendering and form handling are not disclosed in the available resources. Without access to the actual code changes between vulnerable and patched versions, we cannot confidently identify specific functions responsible for input sanitization or output encoding in the custom object details page.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *pp *uil**r mo*ul*'s *ustom o*j**t **t*ils p*** in Li**r*y Port*l *.*.* t*rou** *.*.*, *n* Li**r*y *XP *.* ***or* up**t* ** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * *r**t** p

Reasoning

T** provi*** vuln*r**ility r*ports *n* **visori*s *o not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or *il* p*t*s t**t woul* *llow i**nti*i**tion o* *x**t vuln*r**l* *un*tions. W*il* t** vuln*r**ility m****nism (XSS vi* un*s**p** N*m* *i*l* in *pp