CVE-2023-44309

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.2 through 7.4.3.53 Liferay DXP 7.4 before update 54

Description The issue concerns multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.

Recommendations For Liferay Portal versions 7.4.2 through 7.4.3.53, update to a version after 7.4.3.53 to resolve the issue. For Liferay DXP 7.4 before update 54, apply update 54 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the fragment components in Liferay Portal and Liferay DXP until a patch is available.