-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.dynamic.data.mapping.item.selector.web | maven | < 1.0.9 | 1.0.9 |
Miggo AIRoot Cause AnalysisThe vulnerability is a set of cross-site scripting (XSS) issues in Liferay Portal. I have identified two commits that fix XSS vulnerabilities. The first commit, 4218ecd902dbd860d3f9ee233b0ffa4c822a49ee, fixes an XSS vulnerability in the mentions feature by escaping user names. This is directly related to the vulnerability description, which mentions that the vulnerability is in the user's name fields. The second commit, 433f82c03fac10167f1f811efb482d6010bac6db, fixes an XSS vulnerability in the commerce product definitions by adding sanitization to several fields. Although this is in a different package than the one mentioned in the advisory, it is still a security fix for XSS and could be related to the "multiple cross-site scripting (XSS) vulnerabilities" mentioned in the description. I was unable to find a commit that modifies the package com.liferay.dynamic.data.mapping.item.selector.web mentioned in the advisory. It is possible that the vulnerability is in a component that is used by this package, such as the mentions portlet.
com.liferay.mentions.web.internal.portlet.MentionsPortlet._getJSONArraymodules/apps/mentions/mentions-web/src/main/java/com/liferay/mentions/web/internal/portlet/MentionsPortlet.java
com.liferay.commerce.product.service.impl.CPDefinitionLocalServiceImpl.updateCPDefinitionLocalizationmodules/apps/commerce/commerce-product-service/src/main/java/com/liferay/commerce/product/service/impl/CPDefinitionLocalServiceImpl.java
JavaJavaOngoing coverage of React2Shell