CVE-2023-42627

Summary

CVE-2023-42627 is a critical cross-site scripting (XSS) vulnerability affecting multiple versions of Liferay Portal and DXP. The Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92, are susceptible to this issue. Attackers can inject arbitrary web script or HTML by exploiting vulnerable fields, including Shipping Name, Shipping Phone Number, Shipping Address, Shipping Address 2, Shipping Address 3, Shipping Zip, Shipping City, Shipping Region, Shipping Country, Billing Name, Billing Phone Number, Billing Address, Billing Address 2, Billing Address 3, Billing Zip, Billing City, Billing Region, Billing Country, or Region Code. Successful attacks could result in unauthorized access, data theft, or site defacement. Users are advised to update their systems as soon as possible to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.