CVE-2023-37940

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.0.0 through 7.4.3.87 Liferay DXP versions 7.4 GA through update 87 Liferay DXP versions 7.3 GA through update 29

Description A cross-site scripting (XSS) issue in the edit Service Access Policy page allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's Service Class text field. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.0.0 through 7.4.3.87, update to the latest version to mitigate the issue. For Liferay DXP versions 7.4 GA through update 87, apply the recommended patches and update to the latest version. For Liferay DXP versions 7.3 GA through update 29, apply the recommended patches and update to the latest version. As a temporary workaround, consider restricting access to the edit Service Access Policy page until a patch is available. Avoid using the Service Class text field in the affected API endpoint until the issue is resolved.