CVE-2023-33944

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.4 through 7.4.3.68 Liferay DXP versions 7.3 before update 24 Liferay DXP versions 7.4 before update 69

Description A cross-site scripting (XSS) issue in the Layout module allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's URL text field. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.3.4 through 7.4.3.68, update to a version after 7.4.3.68 to resolve the issue. For Liferay DXP versions 7.3 before update 24, apply update 24 or later to fix the vulnerability. For Liferay DXP versions 7.4 before update 69, apply update 69 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Layout module's container type layout fragment to minimize the risk of exploitation. Avoid using the URL text field in the affected layout fragment until the issue is resolved.