{"id":"CVE-2023-33943","details":"Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.","aliases":["BIT-liferay-2023-33943","GHSA-p9xg-9378-cqp7"],"modified":"2026-03-14T12:18:15.458405Z","published":"2023-05-24T15:15:09.897Z","references":[{"type":"ADVISORY","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33943"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"c0fa99f040b285865b5cb9dbc349fb4fe4b4ec7b"},{"last_affected":"3c47596c0c5936ac38869bf8773dfd9bd98d9a5c"}],"database_specific":{"versions":[{"introduced":"7.4.3.21"},{"last_affected":"7.4.3.62"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.4-update21"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update22"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update23"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update24"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update25"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update26"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update27"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update28"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update29"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update30"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update31"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update32"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update33"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update34"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update35"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update36"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update37"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update38"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update39"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update40"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update41"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update42"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update43"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update44"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update45"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update46"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update47"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update48"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update49"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update50"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update51"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update52"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update53"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update54"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update55"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update56"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update57"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update58"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update59"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update60"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update61"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4-update62"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33943.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}