GHSA-qp68-5v39-r869

Source

https://github.com/advisories/GHSA-qp68-5v39-r869

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qp68-5v39-r869/GHSA-qp68-5v39-r869.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qp68-5v39-r869

Aliases

Published

2023-10-17T15:30:27Z

Modified

2025-07-29T12:58:13.562486Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module

Details

Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module before 4.0.35 from Liferay Portal (7.3.5 through 7.4.3.91), and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-07-29T12:22:20Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2023-10-17T13:15:11Z"
}

References

Affected packages

Maven / com.liferay.commerce:com.liferay.commerce.address.content.web

Package

Name: com.liferay.commerce:com.liferay.commerce.address.content.web; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.commerce/com.liferay.commerce.address.content.web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.35

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.0.26

1.0.27

1.0.28

1.0.29

1.0.30

1.0.31

1.0.32

1.0.33

1.0.34

1.0.35

1.0.36

1.0.37

1.0.38

1.0.39

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21

4.0.22

4.0.23

4.0.24

4.0.25

4.0.26

4.0.27

4.0.28

4.0.29

4.0.30

4.0.31

4.0.32

4.0.33

4.0.34

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.0

Last affected

7.3.10.u33

Affected versions

7.*

7.3.10

7.3.10.ep3

7.3.10.ep4

7.3.10.ep5

7.3.10.fp1

7.3.10.fp2

7.3.10.u4

7.3.10.u5

7.3.10.u6

7.3.10.u7

7.3.10.u8

7.3.10.u9

7.3.10.u10

7.3.10.u11

7.3.10.u12

7.3.10.u13

7.3.10.u14

7.3.10.u15

7.3.10.u16

7.3.10.u17

7.3.10.u18

7.3.10.u19

7.3.10.u19-1

7.3.10.u20

7.3.10.u20-1

7.3.10.u21

7.3.10.u21-1

7.3.10.u22

7.3.10.u22-1

7.3.10.u23

7.3.10.u24

7.3.10.u25

7.3.10.u26

7.3.10.u27

7.3.10.u28

7.3.10.u29

7.3.10.u30

7.3.10.u31

7.3.10.u32

7.3.10.u33

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Last affected

7.4.13.u92

Affected versions

7.*

7.4.10.ep1

7.4.11

7.4.12

7.4.13

7.4.13.u1

7.4.13.u2

7.4.13.u3

7.4.13.u4

7.4.13.u5

7.4.13.u6

7.4.13.u7

7.4.13.u8

7.4.13.u9

7.4.13.u10

7.4.13.u15

7.4.13.u16

7.4.13.u17

7.4.13.u18

7.4.13.u19

7.4.13.u20

7.4.13.u21

7.4.13.u22

7.4.13.u23

7.4.13.u24

7.4.13.u25

7.4.13.u26

7.4.13.u27

7.4.13.u28

7.4.13.u29

7.4.13.u30

7.4.13.u31

7.4.13.u32

7.4.13.u33

7.4.13.u34

7.4.13.u35

7.4.13.u36

7.4.13.u37

7.4.13.u38

7.4.13.u39

7.4.13.u40

7.4.13.u41

7.4.13.u42

7.4.13.u43

7.4.13.u44

7.4.13.u45

7.4.13.u46

7.4.13.u47

7.4.13.u48

7.4.13.u49

7.4.13.u50

7.4.13.u51

7.4.13.u52

7.4.13.u53

7.4.13.u54

7.4.13.u55

7.4.13.u56

7.4.13.u57

7.4.13.u58

7.4.13.u59

7.4.13.u60

7.4.13.u61

7.4.13.u62

7.4.13.u63

7.4.13.u64

7.4.13.u65

7.4.13.u66

7.4.13.u67

7.4.13.u68

7.4.13.u69

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76

7.4.13.u77

7.4.13.u78

7.4.13.u79

7.4.13.u80

7.4.13.u81

7.4.13.u82

7.4.13.u83

7.4.13.u84

7.4.13.u85

7.4.13.u86

7.4.13.u87

7.4.13.u88

7.4.13.u89

7.4.13.u90

7.4.13.u91

7.4.13.u92