Foobar7

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q4.10 Liferay Portal versions 7.3 GA through update 36 Liferay DXP versions 7.4 GA through update 92 **Description** A cross-site scripting (XSS) issue exists in the Blogs widget. The widget does not include the sandbox attribute for `<iframe>` elements, potentially allowing attackers to access the parent page through scripts and links within the frame. This can be triggered by injecting a crafted `<iframe>` into the “Content” text field of a blog entry. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.10. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay Portal to a version later than update 92. Update Liferay Portal to a version later than update 36.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 **Description** An Insecure Direct Object Reference (IDOR) issue exists that allows remotely authenticated users in one virtual instance to assign an organization to a user in a different virtual instance. This is achieved through manipulation of the ` com liferay users admin web portlet UsersAdminPortlet addUserIds` parameter. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.10. Update Liferay Portal 7.4 to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.1 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q4.5 **Description** An insecure direct object reference (IDOR) exists in the Publications feature. This allows remotely authenticated attackers to view the edit page of a publication by manipulating the ` com liferay change tracking web portlet PublicationsPortlet ctCollectionId` parameter. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.4 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay Portal versions 7.4 GA through update 92 **Description** An Insecure Direct Object Reference (IDOR) issue exists in Liferay Portal and DXP. This allows a remotely authenticated user to access addresses from different accounts. The issue is related to the ` com liferay account admin web internal portlet AccountEntriesAdminPortlet addressId` parameter. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay Portal to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay DXP versions 2023.Q4.1 through 2023.Q4.5 **Description** An Insecure Direct Object Reference (IDOR) issue exists in Liferay DXP that allows authenticated remote users to access shipment addresses from different virtual instances. This occurs through the `commerceOrderId` parameter in the ` com liferay commerce order web internal portlet CommerceOrderPortlet` component. **Recommendations** Update Liferay DXP versions prior to 2023.Q4.6.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.1 through 7.4.3.112 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP 7.4 GA through update 92 **Description** An insecure direct object reference (IDOR) issue exists in the Publications feature. This allows remote authenticated attackers to view and edit publication comments via crafted URLs. The issue stems from improper user permission checks. The ` com liferay change tracking web portlet PublicationsPortlet value` parameter is involved in the vulnerability. **Recommendations** Update Liferay Portal to a version later than 7.4.3.112. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay DXP 7.4 to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 Older unsupported versions of Liferay Portal and Liferay DXP **Description** The software contains multiple stored cross-site scripting (XSS) flaws. These flaws allow a remote authenticated user to inject arbitrary web script or HTML through a crafted payload. The payload is injected into a user’s first, middle, or last name text field. This can affect several widgets and applications, including the page comments widget, blog entry comments, document and media document comments, message board messages, wiki page comments, and other widgets/apps that support mentions. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay Portal 7.4 GA to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.8 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal versions 7.4 update 8 through update 92 **Description** A stored cross-site scripting (XSS) issue exists in the view order page of Commerce within the affected software. This allows a remote attacker to inject arbitrary web script or HTML code by providing a crafted payload into the “Name” text field of an Account. The injected code can then be executed when other users view the order page. **Recommendations** Liferay Portal version 7.4.3.112 or later should be used. Liferay DXP version 2023.Q3.9 or later should be used. Liferay DXP version 2023.Q4.6 or later should be used. Liferay Portal update 93 or later should be used.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.1 through 7.4.3.112 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 **Description** A cross-site request forgery (CSRF) issue exists. This allows remote attackers to add and edit publication comments. The affected functionality does not require authentication, potentially enabling unauthorized actions. **Recommendations** Update Liferay Portal to a version later than 7.4.3.112. Update Liferay DXP to a version later than 2023.Q3.10. Update Liferay DXP to a version later than 2023.Q4.5.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.21 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay versions 7.4 update 21 through update 92 **Description** A cross-site scripting (XSS) issue exists in the workflow process builder. This allows remote authenticated attackers to inject arbitrary web script or HTML through crafted input within a workflow definition. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.21 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal versions 7.4 update 21 through update 92 **Description** A stored cross-site scripting (XSS) issue exists on the Membership page within Account Settings. This allows authenticated attackers to inject arbitrary web script or HTML code through a crafted payload. The payload is injected into the Account's “Name“ text field. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay Portal to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.35 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.7 Liferay Portal versions 7.4 update 35 through update 92 Liferay Portal version 7.3 update 25 through update 36 **Description** The software contains multiple cross-site scripting (XSS) issues related to Calendar events. These issues allow remote attackers to inject arbitrary web script or HTML through crafted payloads. The injection points are the (1) First Name, (2) Middle Name, and (3) Last Name text fields. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.7. Update Liferay Portal to a version later than 7.4 update 92. Update Liferay Portal to a version later than 7.3 update 36.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.2 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q4.5 **Description** A stored cross-site scripting (XSS) issue exists in Forms within the software. This allows remote attackers to inject arbitrary web script or HTML through a crafted payload. The payload is injected into a form that uses a rich text type field. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay Portal to a version later than 7.3.35. Update Liferay Portal to a version later than 7.4.92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.18 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay Portal version 7.4 update 18 through update 92 **Description** A stored cross-site scripting (XSS) issue exists in diagram type products within Commerce in Liferay Portal and DXP. This allows remote attackers to inject arbitrary web script or HTML code through a crafted payload within an SVG file. The vulnerability affects SVG diagram components. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay Portal to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.102 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 **Description** The Notifications widget contains multiple cross-site scripting (XSS) issues. These allow remote attackers to inject arbitrary web script or HTML through crafted payloads. The injection points include the `First Name` text field, the `Middle Name` text field, the `Last Name` text field, the “Other Reason” text field when flagging content, and the name of the flagged content. Successful exploitation could allow an attacker to execute malicious scripts in the context of a user's browser. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q3.10 and 2023.Q4.5.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 **Description** A cross-site scripting (XSS) issue exists in the Commerce Product Comparison Table widget. This allows remote attackers to inject arbitrary web script or HTML through a crafted payload. The payload is injected into the Commerce Product's Name text field. **Recommendations** Liferay Portal versions 7.4.0 through 7.4.3.111 should be updated. Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 should be updated. Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.15 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay versions 7.4 update 15 through update 92 **Description** The software contains multiple stored cross-site scripting (XSS) issues. These allow remote attackers to inject arbitrary web script or HTML. The injection occurs via a crafted payload in the Terms and Condition's Name text field. Specifically, the injection targets the Payment Terms and the Delivery Term on the view order page. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP 2023.Q4 versions prior to patch 6 Liferay DXP 2023.Q3 versions prior to patch 9 Liferay Portal versions 7.4 GA through update 92 **Description** A cross-site scripting (XSS) issue exists in the Commerce Search Result widget. This allows remote attackers to inject arbitrary web script or HTML through a crafted payload. The payload is injected into the Commerce Product's Name text field. **Recommendations** Update Liferay Portal to a version after 7.4.3.111. Apply patch 6 to Liferay DXP 2023.Q4. Apply patch 9 to Liferay DXP 2023.Q3. Update Liferay Portal to a version after update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 **Description** The Profile widget is susceptible to a manipulation that allows authenticated remote users to alter the file extension when a vCard file is downloaded. This occurs because the widget incorporates a user’s name into the “Content-Disposition” header. **Recommendations** Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q3.8. Update Liferay DXP to a version later than 2023.Q4.5. Update Liferay Portal 7.4 to a version later than update 92.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.117 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2024.Q1.1 through 2024.Q1.5 Liferay Portal 7.4 GA through update 92 Older unsupported versions **Description** An issue exists in Liferay Portal and DXP that allows remotely authenticated users to access audit events from a different virtual instance. This occurs due to an Insecure Direct Object Reference (IDOR) condition. The issue is related to the ` com liferay portal security audit web portlet AuditPortlet auditEventId` parameter. **Recommendations** Update Liferay Portal to a version after 7.4.3.117. Update Liferay DXP to a version after 2024.Q1.5. Update Liferay DXP to a version after 2023.Q4.10. Update Liferay DXP to a version after 2023.Q3.10. Update Liferay Portal to a version after update 92.