GHSA-49gm-5685-8fxv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-49gm-5685-8fxv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-49gm-5685-8fxv/GHSA-49gm-5685-8fxv.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-49gm-5685-8fxv
- Aliases
- Published
- 2023-10-17T12:30:26Z
- Modified
- 2025-07-15T20:44:20.724660Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class
- Details
-
Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class before 4.0.51 from Liferay Portal (7.4.3.41 through 7.4.3.89), and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter. This issue is caused by an incomplete fix in CVE-2023-33941.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2023-10-17T10:15:09Z", "github_reviewed_at": "2025-07-15T20:18:15Z", "severity": "CRITICAL" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-44311
- https://github.com/liferay/liferay-portal/commit/c07e48d9f489b24e97e71139ac5aa7ef339d9ee9
- https://github.com/liferay/liferay-portal
- https://liferay.atlassian.net/browse/LPE-17804
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-44311?p_r_p_assetEntryId=122124899&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D122124899%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
Affected packages
Maven / com.liferay:com.liferay.oauth2.provider.rest
Package
- Name
- com.liferay:com.liferay.oauth2.provider.rest
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay/com.liferay.oauth2.provider.rest
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0.51
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
1.0.35
1.0.36
1.0.37
1.0.38
1.0.39
1.0.40
1.0.41
1.0.42
1.0.43
1.0.44
1.0.45
1.0.46
1.0.47
1.0.48
1.0.49
1.0.50
1.0.51
1.0.52
1.0.53
1.0.54
1.0.55
1.0.56
1.0.57
1.0.58
1.0.59
1.0.60
1.0.61
1.0.62
1.0.63
1.0.64
1.0.65
1.0.66
1.0.67
1.0.68
1.0.69
1.0.70
1.0.71
1.0.72
1.0.73
1.0.74
1.0.75
1.0.76
1.0.77
1.0.78
1.0.79
1.0.80
1.0.81
1.0.82
1.0.83
1.0.84
1.0.85
1.0.86
1.0.87
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.52
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.0.22
3.0.23
3.0.24
3.0.25
3.0.26
3.0.27
3.0.28
3.0.29
3.0.30
3.0.31
3.0.32
3.0.33
3.0.34
3.0.35
3.0.36
3.0.37
3.0.38
3.0.39
3.0.40
3.0.41
3.0.42
3.0.43
3.0.44
3.0.45
3.0.46
3.0.47
3.0.48
3.0.49
3.0.50
3.0.51
3.0.52
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.22
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.0.29
4.0.30
4.0.31
4.0.32
4.0.33
4.0.34
4.0.35
4.0.36
4.0.37
4.0.38
4.0.39
4.0.40
4.0.41
4.0.42
4.0.43
4.0.44
4.0.45
4.0.46
4.0.47
4.0.48
4.0.49
4.0.50
Maven / com.liferay.portal:release.dxp.bom
Package
- Name
- com.liferay.portal:release.dxp.bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay.portal/release.dxp.bom
Affected versions
7.*
7.4.13.u41
7.4.13.u42
7.4.13.u43
7.4.13.u44
7.4.13.u45
7.4.13.u46
7.4.13.u47
7.4.13.u48
7.4.13.u49
7.4.13.u50
7.4.13.u51
7.4.13.u52
7.4.13.u53
7.4.13.u54
7.4.13.u55
7.4.13.u56
7.4.13.u57
7.4.13.u58
7.4.13.u59
7.4.13.u60
7.4.13.u61
7.4.13.u62
7.4.13.u63
7.4.13.u64
7.4.13.u65
7.4.13.u66
7.4.13.u67
7.4.13.u68
7.4.13.u69
7.4.13.u70
7.4.13.u71
7.4.13.u72
7.4.13.u73
7.4.13.u74
7.4.13.u75
7.4.13.u76
7.4.13.u77
7.4.13.u78
7.4.13.u79
7.4.13.u80
7.4.13.u81
7.4.13.u82
7.4.13.u83
7.4.13.u84
7.4.13.u85
7.4.13.u86
7.4.13.u87
7.4.13.u88
7.4.13.u89