CVE-2023-47797
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in Liferay Portal allows remote attackers to inject malicious scripts or HTML via the p_l_back_url_title parameter on content edit pages. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions. Organizations running affected Liferay Portal versions are at risk.
💻 Affected Systems
- Liferay Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform unauthorized content modifications, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers would typically use this to steal session cookies or credentials from authenticated users, enabling account takeover and privilege escalation within the portal.
If Mitigated
With proper input validation and output encoding, the malicious payload would be neutralized, preventing script execution while maintaining normal portal functionality.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links; no authentication bypass needed for the XSS itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.3.96 and later
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47797
Restart Required: Yes
Instructions:
1. Download Liferay Portal 7.4.3.96 or later from official sources. 2. Backup current installation and data. 3. Stop Liferay service. 4. Replace with patched version. 5. Restart Liferay service. 6. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter to sanitize p_l_back_url_title parameter values
Implement custom filter in Liferay to strip/encode script tags from p_l_back_url_title parameter
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in p_l_back_url_title parameter
- Disable or restrict access to content edit pages for non-essential users
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject script payload into p_l_back_url_title parameter on content edit pages and checking if it executesCheck Version:
Check Liferay Control Panel → Server Administration → Properties → liferay.versionVerify Fix Applied:
After patching, attempt same XSS payload injection; script should not execute and should be properly encoded in output📡 Detection & Monitoring
Log Indicators:
- Unusual length or pattern in p_l_back_url_title parameter values
- Multiple failed login attempts following suspicious URL access
Network Indicators:
- HTTP requests containing script tags or JavaScript in p_l_back_url_title parameter
- Unusual redirect patterns from content edit pages
SIEM Query:
http.uri_param contains "p_l_back_url_title" AND (http.uri_param contains "<script>" OR http.uri_param contains "javascript:")