CVE-2022-26593

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.3 through 7.4.0 Liferay DXP 7.3 before service pack 3

Description A cross-site scripting (XSS) issue exists in the Asset module's asset categories selector, allowing remote attackers to inject arbitrary web script or HTML via the name of an asset category.

Recommendations For Liferay Portal versions 7.3.3 through 7.4.0, update to a version outside of this range to resolve the issue. For Liferay DXP 7.3 before service pack 3, apply service pack 3 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Asset module's asset categories selector until a patch is available.