Duy Huynh

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.0 through 7.4.0 Liferay DXP 7.3 before update 14 **Description** A cross-site scripting (XSS) issue exists in the App Builder module's custom object details page, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field. **Recommendations** For Liferay Portal versions 7.3.0 through 7.4.0, update to a version outside of the affected range to resolve the issue. For Liferay DXP 7.3, apply update 14 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the App Builder module's custom object details page until a patch is available. Avoid using the `Name` field in the App Builder custom object until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.5 through 7.4.2 Liferay DXP 7.3 before update 8 **Description** Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. **Recommendations** For Liferay Portal versions 7.3.5 through 7.4.2, update to a version after 7.4.2 to resolve the issue. For Liferay DXP 7.3, apply update 8 to fix the vulnerability. As a temporary workaround, consider disabling the Commerce module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.3 through 7.4.0 Liferay DXP 7.3 before service pack 3 **Description** A cross-site scripting (XSS) issue exists in the Asset module's asset categories selector, allowing remote attackers to inject arbitrary web script or HTML via the name of an asset category. **Recommendations** For Liferay Portal versions 7.3.3 through 7.4.0, update to a version outside of this range to resolve the issue. For Liferay DXP 7.3 before service pack 3, apply service pack 3 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Asset module's asset categories selector until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.5 through 7.4.0 Liferay DXP versions 7.3 before service pack 3 **Description** Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a form field's help text to the Forms module's form builder or the App Builder module's object form view's form builder. **Recommendations** For Liferay Portal versions 7.3.5 through 7.4.0, consider disabling the form builder in the Forms module and the object form view's form builder in the App Builder module until a patch is available. For Liferay DXP versions 7.3 before service pack 3, consider disabling the form builder in the Forms module and the object form view's form builder in the App Builder module until a patch is available. Restrict access to the form field's help text in the affected modules to minimize the risk of exploitation.