CVE-2023-44310

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.6 through 7.4.3.78 Liferay DXP versions 7.3 fix pack 1 through update 23 Liferay DXP version 7.4 before update 79

Description A stored cross-site scripting (XSS) issue in the Page Tree menu allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a page's Name text field.

Recommendations For Liferay Portal versions 7.3.6 through 7.4.3.78, update to a version after 7.4.3.78 to resolve the issue. For Liferay DXP versions 7.3 fix pack 1 through update 23, update to update 24 or later to resolve the issue. For Liferay DXP version 7.4 before update 79, update to update 79 or later to resolve the issue. As a temporary workaround, consider restricting access to the Page Tree menu until a patch is available. Avoid using the Name text field in the Page Tree menu until the issue is resolved.