CVE-2023-42628
📋 TL;DR
This stored XSS vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into wiki pages through the content field. When other users view the compromised wiki page, the script executes in their browser context. All users of affected Liferay versions with wiki functionality enabled are vulnerable.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, defacement of wiki pages, and unauthorized actions within user permissions.
If Mitigated
Script execution blocked by Content Security Policy or input sanitization, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploitation requires authenticated user with wiki edit permissions. Technical details and proof-of-concept available in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.88+, Liferay DXP 7.4 update 88+, or apply relevant fix packs for earlier versions
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
Restart Required: Yes
Instructions:
1. Backup your Liferay instance. 2. Apply the appropriate fix pack or update from Liferay's customer portal. 3. Restart the application server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Wiki Widget
allRemove or disable the wiki widget from all pages to prevent exploitation.
Navigate to Site Administration > Pages > Configure > Widgets, remove Wiki widget
Implement Input Validation
allAdd custom input validation to sanitize HTML/script content in wiki fields.
Implement custom portlet filter or validator to sanitize wiki content input
🧯 If You Can't Patch
- Restrict wiki edit permissions to trusted users only
- Implement Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel > Server Administration > Properties, or examine liferay-portal.xml version attributeCheck Version:
Check ${liferay.home}/tomcat-${version}/webapps/ROOT/WEB-INF/liferay-portal.xml for version attributeVerify Fix Applied:
After patching, attempt to inject basic XSS payload (<script>alert('test')</script>) into wiki content field and verify it's sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual wiki page edits, especially with script tags or JavaScript content
- Multiple failed login attempts followed by wiki edits
Network Indicators:
- Outbound connections to suspicious domains from user browsers after viewing wiki pages
SIEM Query:
source="liferay.log" AND ("wiki" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))🔗 References
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
- https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
- https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/
