// For flags

CVE-2020-25476

 

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.

Liferay CMS Portal versiones 7.1.3 y 7.2.1, presenta una vulnerabilidad de tipo cross-site scripting (XSS) persistente ciego en el parámetro user name en Calendario. Un atacante puede insertar una carga útil maliciosa en los campos username, lastname o surname de su propio perfil, y la carga útil maliciosa será inyectada y reflejada en el calendario del usuario que envió la carga útil. Un atacante podría escalar sus privilegios en caso de que un administrador visite el calendario que inyectó la carga útil

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-09-14 CVE Reserved
  • 2021-01-07 CVE Published
  • 2023-09-23 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Liferay
Search vendor "Liferay"
 Liferay Portal
Search vendor "Liferay" for product "Liferay Portal"
 7.1.3
Search vendor "Liferay" for product "Liferay Portal" and version "7.1.3"
-
Affected
Liferay
Search vendor "Liferay"
 Liferay Portal
Search vendor "Liferay" for product "Liferay Portal"
 7.2.1
Search vendor "Liferay" for product "Liferay Portal" and version "7.2.1"
-
Affected