[LPE-17403] LSV-959: Stored XSS with announcement/alert type - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 7.1 DXP (7.1.10)
Fix Version/s: 7.1.x EE, 7.2.X EE, 7.3.X EE
Component/s: None
Labels:

CVE IDs:
CVE-2022-42110
CVSS Base Score:
5.4
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.1 Fix Pack Version:
27
7.2 Fix Pack Version:
17
7.3 Fix Pack Version:
3

Description

Cross-site scripting (XSS) vulnerability in the Announcements module's Announcement and Alerts management page in Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_announcements_web_portlet_AnnouncementsAdminPortlet_type parameter.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Jorge Avalos

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 19/Oct/21 1:28 PM

Updated:: 17/Oct/22 11:48 PM

Resolved:: 13/Jul/22 3:14 PM

Packages

Version	Package
7.1.x EE
7.2.X EE
7.3.X EE