-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe security vulnerability is a reflected Cross-Site Scripting (XSS) issue within the Liferay Portal's Style Book feature. The root cause is the improper handling of user-supplied input, specifically the theme name, which is used as a subtitle in a 'Vertical Card' component. The analysis of the provided patch (commit e15df92e3faa3abbf38e3643b79ab8cf2983d6df) clearly indicates that the subtitle variable was being rendered without proper HTML escaping. The change is located in the VerticalCardTag.java file, within the _writeCard method. This method writes the subtitle directly to the jspWriter. The fix involves wrapping the subtitle variable with HtmlUtil.escape(), a standard Liferay utility for preventing XSS. Therefore, the _writeCard function is the precise location of the vulnerability, as it's the point where the un-trusted data is passed to the output stream, leading to the XSS vulnerability.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.frontend.taglib.clay | maven | < 15.2.1 | 15.2.1 |
Ongoing coverage of React2Shell