Erwin Krazek

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.18 through 7.4.3.101 Liferay DXP 2023.Q3 before patch 6 Liferay DXP 7.4 update 18 through 92 **Description** A stored cross-site scripting (XSS) issue exists in the Document and Media widget, allowing remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a document's `Title` text field. **Recommendations** For Liferay Portal versions 7.4.3.18 through 7.4.3.101, update to a version outside of this range to resolve the issue. For Liferay DXP 2023.Q3, apply patch 6 or later to fix the vulnerability. For Liferay DXP 7.4 update 18 through 92, update to a version outside of this range or apply the necessary patch to resolve the issue. As a temporary workaround, consider restricting access to the Document and Media widget until a patch is available.