CVE-2023-42497

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.4 through 7.4.3.85 Liferay DXP 7.4 before update 86

Description A reflected cross-site scripting (XSS) issue exists on the Export for Translation page, allowing remote attackers to inject arbitrary web script or HTML via the com liferay translation web internal portlet TranslationPortlet redirect parameter. This enables attackers to execute malicious scripts in the context of the victim's browser.

Recommendations For Liferay Portal versions 7.4.3.4 through 7.4.3.85, update to a version after 7.4.3.85 to resolve the issue. For Liferay DXP 7.4 before update 86, apply update 86 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Export for Translation page and the com liferay translation web internal portlet TranslationPortlet redirect parameter until a patch is available.