CVE-2023-47795
📋 TL;DR
This stored XSS vulnerability allows authenticated attackers to inject malicious scripts into document titles in Liferay's Document and Media widget. When other users view these documents, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. Affects Liferay Portal 7.4.3.18-7.4.3.101 and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 18-92.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access, install backdoors, exfiltrate sensitive data, or pivot to internal systems.
Likely Case
Attackers steal user session cookies, perform account takeovers, deface content, or redirect users to malicious sites.
If Mitigated
Script execution is blocked by CSP headers, input validation catches malicious payloads, or user sessions are protected with HttpOnly flags.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just injecting script payloads into title fields. Stored XSS vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.102+, Liferay DXP 2023.Q3 patch 6+, Liferay DXP 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay Customer Portal. 2. Apply patch following Liferay's patching documentation. 3. Restart Liferay instance. 4. Verify fix by testing XSS payloads in document titles.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize document title fields
Implement custom servlet filter or hook to sanitize title input before processing
Content Security Policy
allImplement strict CSP headers to block inline script execution
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict Document and Media widget permissions to trusted users only
- Implement WAF rules to block XSS payloads in title parameters
🔍 How to Verify
Check if Vulnerable:
Test by creating document with title containing <script>alert('XSS')</script> and checking if script executes when viewedCheck Version:
Check Liferay version in Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
After patching, attempt same XSS test - script should be sanitized and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual document creation/modification patterns
- Requests with script tags in title parameters
- Multiple failed login attempts followed by document uploads
Network Indicators:
- HTTP requests containing script tags in POST parameters
- Outbound connections to suspicious domains after document views
SIEM Query:
source="liferay.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND ("title=" OR "document")