CNNVD-202510-4186 Information
CNNVD ID
CNNVD-202510-4186
Related CVE
- CNNVD Published: 2025-10-30
Description (Chinese)
Liferay Portal是美国等都是美国(Liferay)公司的产品。Liferay Portal是一套基于J2EE的门户解决方案。Liferay DXP是一套数字化体验协作平台。Xuzijia Blog等都是中国(Xuzijia)个人开发者的产品。Blog是一个个人博客系统。Aaron update等都是(Aaron)个人开发者的产品。update是一个库。 Liferay Portal和Liferay DXP存在跨站脚本漏洞,该漏洞源于Blogs小部件未对iframe元素添加沙盒属性,可能导致远程攻击者通过特制iframe注入任意Web脚本或HTML。以下版本受到影响:Liferay Portal 7.4.0版本至7.4.3.111版本和Liferay DXP 2023.Q4.0版本至2023.Q4.10版本、2023.Q3.1版本至2023.Q3.8版本、7.4 GA版本至update 92版本、7.3 GA版本至update 36版本。
Description (English)
Liferay Portal is a product of American and other American companies. Liferay Portal is a portal solution based on J2EE. Liferay DXP is a collaborative platform for digital experience. Xuzija Blog and others are products of individual developers in China. Blog is a personal blog system. Aaron updates and others are products of individual developers. Update is a library. Liferay Portal and Liferay DXP had a cross-site script loophole, which stemmed from the failure of the Blogs small component to add sandbox properties to the frame element, which could result in remote assailants injecting any kind of Web script or HTML through specially designed frame. The following versions were affected: Liveray Portal, version 7.4.0 to version 7.4.3.111, and Liveray DXP, version 2023.Q4.0 to version 2023.Q4.10, version 2023.Q3.1 to version 2023.Q3.8, version 7.4 GA to version 92, version 7.3 GA to version 36.
Hazard Level
High
Vulnerability Type
跨站脚本
Affected Vendor
Liferay
Published
2025-10-30
Last Modified
2026-02-24