CVE-2023-33940

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.30 Liferay DXP 7.4 before update 31

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL in IFrame type Remote Apps. This enables attackers to execute malicious scripts on the client-side.

Recommendations For Liferay Portal versions 7.4.0 through 7.4.3.30, update to a version after 7.4.3.30 to resolve the issue. For Liferay DXP 7.4 before update 31, apply update 31 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the IFrame URL in Remote Apps to minimize the risk of exploitation.