{"id":"CVE-2023-44309","details":"Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.","aliases":["BIT-liferay-2023-44309","GHSA-j663-6jpj-xx8c"],"modified":"2026-07-08T07:41:45.979983364Z","published":"2023-10-17T09:15:10.347Z","database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","vendor_product":"liferay:digital_experience_platform","cpes":["cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*"],"extracted_events":[{"introduced":"7.4-NA"},{"last_affected":"7.4-NA"},{"introduced":"7.4-update1"},{"last_affected":"7.4-update1"},{"introduced":"7.4-update21"},{"last_affected":"7.4-update21"},{"introduced":"7.4-update34"},{"last_affected":"7.4-update34"},{"introduced":"7.4-update36"},{"last_affected":"7.4-update36"},{"introduced":"7.4-update41"},{"last_affected":"7.4-update41"},{"introduced":"7.4-update48"},{"last_affected":"7.4-update48"},{"introduced":"7.4-update50"},{"last_affected":"7.4-update50"},{"introduced":"7.4-update52"},{"last_affected":"7.4-update52"}]}]},"references":[{"type":"ADVISORY","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44309"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"75354f3482d7c5edb70f4cd72ed8664ce8079842"},{"fixed":"321766dacdc65adcf958db582121ed699763277d"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"7.4.2"},{"fixed":"7.4.3.53"}],"cpe":"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*"}}],"versions":["7.4.3.41-ga41","7.4.3.7-ga7","7.4.3.6-ga6","7.4.3.5-ga5","7.4.3.4-ga4","7.4.2-ga3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44309.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}