CVE-2023-42496

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.3 through 7.4.3.97 Liferay DXP 2023.Q3 before patch 6 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 before update 34

Description A reflected cross-site scripting (XSS) issue exists on the add assignees to a role page, allowing remote attackers to inject arbitrary web script or HTML via the com liferay roles admin web portlet RolesAdminPortlet tabs2 parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.3.3 through 7.4.3.97, update to a version outside of this range to resolve the issue. For Liferay DXP 2023.Q3, apply patch 6 or later. For Liferay DXP 7.4 GA, apply update 93 or later. For Liferay DXP 7.3, apply update 35 or later. As a temporary workaround, consider restricting access to the add assignees to a role page until a patch is applied. Avoid using the com liferay roles admin web portlet RolesAdminPortlet tabs2 parameter in the affected page until the issue is resolved.