A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
2022-10-19T02:15:09.000
2025-05-09T15:15:53.890
Modified
CVSSv3.1: 5.4 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | liferay | dxp | < 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.3 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | dxp | 7.4 | Yes |
| Application | liferay | liferay_portal | ≤ 7.4.3.28 | Yes |