Michael Oelke

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.5 through 7.4.3.91 Liferay DXP versions 7.3 update 33 and earlier, and 7.4 before update 92 **Description** Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into various fields, including `Shipping Name`, `Shipping Phone Number`, `Shipping Address`, `Billing Name`, `Billing Phone Number`, `Billing Address`, and others. **Recommendations** For Liferay Portal versions 7.3.5 through 7.4.3.91, update to a version later than 7.4.3.91. For Liferay DXP versions 7.3 update 33 and earlier, update to a version later than update 33. For Liferay DXP version 7.4 before update 92, update to update 92 or later. As a temporary workaround, consider restricting access to the Commerce module until a patch is available. Avoid using the vulnerable fields in the Commerce module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.1.0 through 7.4.3.87 Liferay DXP versions 7.0 fix pack 83 through 102 Liferay DXP versions 7.1 fix pack 28 and earlier Liferay DXP versions 7.2 fix pack 20 and earlier Liferay DXP versions 7.3 update 33 and earlier Liferay DXP versions 7.4 before update 88 **Description** A stored cross-site scripting (XSS) issue in the Wiki widget allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's `Content` text field. **Recommendations** For Liferay Portal versions 7.1.0 through 7.4.3.87, update to a version after 7.4.3.87. For Liferay DXP versions 7.0 fix pack 83 through 102, update to a fix pack after 102. For Liferay DXP versions 7.1 fix pack 28 and earlier, update to a fix pack after 28. For Liferay DXP versions 7.2 fix pack 20 and earlier, update to a fix pack after 20. For Liferay DXP versions 7.3 update 33 and earlier, update to an update after 33. For Liferay DXP versions 7.4 before update 88, update to update 88 or later. As a temporary workaround, consider restricting access to the Wiki widget until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.2 through 7.4.3.87 Liferay DXP 7.4 before update 88 **Description** A stored cross-site scripting (XSS) issue exists in the manage vocabulary page, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's `description` text field. **Recommendations** For Liferay Portal versions 7.4.2 through 7.4.3.87, update to a version after 7.4.3.87 to resolve the issue. For Liferay DXP 7.4 before update 88, apply update 88 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the manage vocabulary page until a patch is available. Avoid using the `description` text field in the affected page until the issue is resolved.