CVE-2020-7934

Name of the Vulnerable Software and Affected Versions Liferay Portal CE versions 7.1.0 through 7.2.1 GA2

Description The First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users, specifically if a user with modified fields occurs in the search results.

Recommendations For versions 7.1.0 through 7.2.1 GA2, update to Liferay Portal CE version 7.3.0 GA1 to resolve the issue. As a temporary workaround, consider restricting access to the MyAccountPortlet or disabling the search feature until a patch is available. Avoid using the First Name, Middle Name, and Last Name fields in the MyAccountPortlet until the issue is resolved.