Miggo Logo
Miggo Vulnerability Database
CVE-2023-33940

CVE-2023-33940:
Cross-site scripting in Liferay Portal

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-33940
GHSA ID
GHSA-x82q-mr23-27jc
EPSS Score
0.25239%
CWE
CWE-79
Published
5/24/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay.portal:release.portal.bommaven>= 7.4.0, < 7.4.3.317.4.3.31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability reports and advisories describe an XSS vulnerability in the handling of IFrame URLs for Remote Apps, but they do not disclose specific function names or file paths. While the root cause is clearly improper input sanitization of the IFrame URL parameter, the lack of available commit diffs, patch details, or code examples makes it impossible to identify exact vulnerable functions with high confidence. The vulnerability likely resides in the code responsible for rendering or processing Remote App IFrame URLs, but insufficient technical implementation details are provided to pinpoint specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in I*r*m* typ* R*mot* *pps in Li**r*y Port*l *.*.* t*rou** *.*.*.**, *n* Li**r*y *XP *.* ***or* up**t* ** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** R*mot* *pp's I*r*m* URL.

Reasoning

T** provi*** vuln*r**ility r*ports *n* **visori*s **s*ri** *n XSS vuln*r**ility in t** **n*lin* o* I*r*m* URLs *or R*mot* *pps, *ut t**y *o not *is*los* sp**i*i* `*un*tion n*m*s` or `*il* p*t*s`. W*il* t** root **us* is *l**rly improp*r input s*nitiz