Argon21

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.8 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 **Description** A reflected cross-site scripting (XSS) issue exists in the Language Override functionality. This allows remote attackers to inject arbitrary web script or HTML through the ` com liferay portal language override web internal portlet PLOPortlet selectedLanguageId` parameter. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.10. Update Liferay DXP to a version later than 2023.Q3.10.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.112 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.8 Liferay Portal 7.4 GA through update 92 Older unsupported versions **Description** The software contains stored cross-site scripting (XSS) issues within the Web Content translation feature. These issues allow remote attackers to inject arbitrary web script or HTML through any rich text field in a web content article. The vulnerability impacts the translation of web content. **Recommendations** Update Liferay Portal to a version later than 7.4.3.112. Update Liferay DXP to a version later than 2023.Q3.10. Update Liferay DXP to a version later than 2023.Q4.8. Update Liferay Portal to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.102 through 7.4.3.110 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP version 2023.Q3.5 **Description** A reflected cross-site scripting (XSS) issue exists on the page configuration page. This allows remote attackers to inject arbitrary web script or HTML via the `com liferay layout admin web portlet GroupPagesPortlet backURLTitle` parameter. **Recommendations** Update Liferay Portal to a version later than 7.4.3.110. Update Liferay DXP to a version later than 2023.Q4.2. Update Liferay DXP to a version later than 2023.Q3.5.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.4 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.4 **Description** A cross-site scripting (XSS) issue exists in the web content template functionality. This allows a remote authenticated user to inject arbitrary web script or HTML. The injection occurs through a crafted payload within the Name text field of a web content structure. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay DXP to a version later than 2023.Q4.4.