CVE-2023-42628: Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget

October 17, 2023 (updated July 29, 2025)

Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Wiki Web before 7.0.95 from Liferay Portal (7.1.0 through 7.4.3.87), and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page’s ‘Content’ text field.

References

github.com/advisories/GHSA-hv45-r2f5-fmhj
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42628
nvd.nist.gov/vuln/detail/CVE-2023-42628
www.pentagrid.ch/en/blog/stored-cross-site-scripting-vulnerabilities-in-liferay-portal

Code Behaviors & Features

Detect and mitigate CVE-2023-42628 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →