CVE-2023-44311

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.41 through 7.4.3.89 Liferay DXP 7.4 update 41 through update 89

Description Multiple reflected cross-site scripting (XSS) vulnerabilities exist in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the code or error parameters. This issue is caused by an incomplete fix.

Recommendations For Liferay Portal versions 7.4.3.41 through 7.4.3.89, consider disabling the OAuth2ProviderApplicationRedirect class until a patch is available. For Liferay DXP 7.4 update 41 through update 89, restrict access to the Plugin for OAuth 2.0 module to minimize the risk of exploitation. Avoid using the code and error parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.