CVE-2023-42629

9.0 CRITICAL

Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into vocabulary descriptions. When users view the affected vocabulary page, the script executes in their browser context. This affects administrators and users with access to vocabulary management pages.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 7.4.2 through 7.4.3.87, Liferay DXP 7.4 before update 88

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to vocabulary management functionality, typically available to authenticated users with appropriate permissions.

📦 What is this software?

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Liferay Portal by Liferay

View all CVEs affecting Liferay Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface the portal, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed by authenticated users viewing the compromised vocabulary page.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are enforced, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to vocabulary management, but the XSS payload execution affects all users viewing the page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.4.3.88+, Liferay DXP 7.4 update 88+

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629

Restart Required: Yes

Instructions:

1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack following Liferay's patch deployment procedures. 3. Restart the Liferay instance. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize vocabulary description fields

Implement custom servlet filter or hook to sanitize HTML input in vocabulary management

Content Security Policy

all

Enforce strict CSP headers to mitigate XSS impact

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Restrict access to vocabulary management pages to only essential administrators
Implement web application firewall rules to block XSS payloads in vocabulary descriptions

🔍 How to Verify

Check if Vulnerable:

Check Liferay version via Control Panel → Configuration → Server Administration → System Information

Check Version:

Check liferay.home/portal/version.jsp or Control Panel → Configuration → Server Administration

Verify Fix Applied:

Verify version is 7.4.3.88+ for Portal or 7.4 update 88+ for DXP, then test vocabulary description field with basic XSS payload

📡 Detection & Monitoring

Log Indicators:

Unusual vocabulary creation/modification patterns
HTML/script tags in vocabulary description fields

Network Indicators:

Unexpected outbound connections from Liferay portal pages
Suspicious JavaScript execution patterns

SIEM Query:

source="liferay" AND (event="vocabulary_update" OR event="vocabulary_create") AND description CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2023-42629

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: October 17, 2023

Last Updated: November 21, 2024

🔗 References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 Vendor Advisory
https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ Exploit,Third Party Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42629 Vendor Advisory
https://www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal/ Exploit,Third Party Advisory