CVE-2023-42628

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.4.3.87 Liferay DXP versions 7.0 fix pack 83 through 102 Liferay DXP versions 7.1 fix pack 28 and earlier Liferay DXP versions 7.2 fix pack 20 and earlier Liferay DXP versions 7.3 update 33 and earlier Liferay DXP versions 7.4 before update 88

Description A stored cross-site scripting (XSS) issue in the Wiki widget allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's Content text field.

Recommendations For Liferay Portal versions 7.1.0 through 7.4.3.87, update to a version after 7.4.3.87. For Liferay DXP versions 7.0 fix pack 83 through 102, update to a fix pack after 102. For Liferay DXP versions 7.1 fix pack 28 and earlier, update to a fix pack after 28. For Liferay DXP versions 7.2 fix pack 20 and earlier, update to a fix pack after 20. For Liferay DXP versions 7.3 update 33 and earlier, update to an update after 33. For Liferay DXP versions 7.4 before update 88, update to update 88 or later. As a temporary workaround, consider restricting access to the Wiki widget until a patch is available.