CVE-2023-40191

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.44 through 7.4.3.97 Liferay DXP 2023.Q3 before patch 6 Liferay DXP versions 7.4 update 44 through 92

Description A reflected cross-site scripting (XSS) issue exists in the instance settings for Accounts, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the Blocked Email Domains text field. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.4.3.44 through 7.4.3.97, update to a version outside of this range to resolve the issue. For Liferay DXP 2023.Q3, apply patch 6 or later to fix the vulnerability. For Liferay DXP versions 7.4 update 44 through 92, update to a version outside of this range or apply the necessary patch to resolve the issue. As a temporary workaround, consider restricting access to the Blocked Email Domains text field in the instance settings for Accounts until a patch is available.