CVE-2020-7934
LifeRay 7.2.1 GA2 - Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.
En LifeRay Portal CE versiones 7.1.0 hasta 7.2.1 GA2, los campos First Name, Middle Name, y Last Name para las cuentas de usuario en MyAccountPortlet son vulnerables a un problema de tipo XSS persistente. Cualquier usuario puede modificar estos campos con una carga útil XSS particular, y será almacenada en la base de datos. La carga útil entonces será renderizada cuando un usuario utilice la funcionalidad search para buscar a otros usuarios (es decir, si se presenta un usuario con campos modificados en los resultados de la búsqueda). Este problema fue corregido en el Portal Liferay CE versión 7.3.0 GA1
LifeRay version 7.2.1 GA2 suffers from a persistent cross site scripting vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-23 CVE Reserved
- 2020-01-28 CVE Published
- 2020-11-23 First Exploit
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html | X_refsource_misc |
|
| https://semanticbits.com/liferay-portal-authenticated-xss-disclosure | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/49091 | 2020-11-23 | |
| https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Liferay Search vendor "Liferay" | Liferay Portal Search vendor "Liferay" for product "Liferay Portal" | >= 7.1.0 <= 7.2.1 Search vendor "Liferay" for product "Liferay Portal" and version " >= 7.1.0 <= 7.2.1" | community |
Affected
| ||||||