CVE-2023-42629

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.2 through 7.4.3.87 Liferay DXP 7.4 before update 88

Description A stored cross-site scripting (XSS) issue exists in the manage vocabulary page, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's description text field.

Recommendations For Liferay Portal versions 7.4.2 through 7.4.3.87, update to a version after 7.4.3.87 to resolve the issue. For Liferay DXP 7.4 before update 88, apply update 88 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the manage vocabulary page until a patch is available. Avoid using the description text field in the affected page until the issue is resolved.