CVE-2023-42498

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.8 through 7.4.3.97 Liferay DXP 2023.Q3 before patch 5 Liferay DXP versions 7.4 update 4 through 92

Description A reflected cross-site scripting (XSS) issue exists in the Language Override edit screen, allowing remote attackers to inject arbitrary web script or HTML via the com liferay portal language override web internal portlet PLOPortlet key parameter. This enables attackers to execute malicious code on the victim's browser.

Recommendations For Liferay Portal versions 7.4.3.8 through 7.4.3.97, update to a version outside of this range to resolve the issue. For Liferay DXP 2023.Q3, apply patch 5 to fix the vulnerability. For Liferay DXP versions 7.4 update 4 through 92, update to a version outside of this range or apply the necessary patch to resolve the issue. As a temporary workaround, consider restricting access to the Language Override edit screen until a patch is available. Avoid using the com liferay portal language override web internal portlet PLOPortlet key parameter in the affected API endpoint until the issue is resolved.