CVE-2023-42627

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.5 through 7.4.3.91 Liferay DXP versions 7.3 update 33 and earlier, and 7.4 before update 92

Description Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into various fields, including Shipping Name, Shipping Phone Number, Shipping Address, Billing Name, Billing Phone Number, Billing Address, and others.

Recommendations For Liferay Portal versions 7.3.5 through 7.4.3.91, update to a version later than 7.4.3.91. For Liferay DXP versions 7.3 update 33 and earlier, update to a version later than update 33. For Liferay DXP version 7.4 before update 92, update to update 92 or later. As a temporary workaround, consider restricting access to the Commerce module until a patch is available. Avoid using the vulnerable fields in the Commerce module until the issue is resolved.