CVE-2023-3193

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.70 through 7.4.3.73 Liferay DXP 7.4 update 70 through 73

Description A cross-site scripting (XSS) issue exists in the Layout module's SEO configuration, allowing remote attackers to inject arbitrary web script or HTML via the com liferay layout admin web portlet GroupPagesPortlet backURL parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.4.3.70 through 7.4.3.73, restrict access to the Layout module's SEO configuration until a patch is available. For Liferay DXP 7.4 update 70 through 73, avoid using the com liferay layout admin web portlet GroupPagesPortlet backURL parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider disabling the SEO configuration in the Layout module to minimize the risk of exploitation.