Name of the Vulnerable Software and Affected Versions:

Liferay Portal versions 7.1.0 through 7.4.2

Liferay DXP 7.1 before fix pack 26

Liferay DXP 7.2 before fix pack 15

Liferay DXP 7.3 before service pack 3

Description:

A cross-site scripting (XSS) issue was discovered in the Portal Search module's Custom Facet widget. This issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Custom Parameter Name` text field.

Recommendations:

For Liferay Portal versions 7.1.0 through 7.4.2, update to a version that includes the fix for this issue.

For Liferay DXP 7.1, apply fix pack 26 or later.

For Liferay DXP 7.2, apply fix pack 15 or later.

For Liferay DXP 7.3, apply service pack 3 or later.

As a temporary workaround, consider restricting access to the Custom Facet widget in the Portal Search module until a patch is available.