CVE-2022-28978

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.0.1 through 7.4.1 Liferay DXP 7.0 before fix pack 102 Liferay DXP 7.1 before fix pack 26 Liferay DXP 7.2 before fix pack 15 Liferay DXP 7.3 before service pack 3

Description A stored cross-site scripting (XSS) issue in the Site module's user membership administration page allows remote attackers to inject arbitrary web script or HTML via a user's name. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.0.1 through 7.4.1, update to a version outside of this range or apply the necessary fix pack or service pack. For Liferay DXP 7.0, apply fix pack 102 or later. For Liferay DXP 7.1, apply fix pack 26 or later. For Liferay DXP 7.2, apply fix pack 15 or later. For Liferay DXP 7.3, apply service pack 3 or later. As a temporary workaround, consider restricting user input for names to minimize the risk of exploitation.