Name of the Vulnerable Software and Affected Versions:

Liferay Portal versions 7.1.0 through 7.4.3.38

Liferay DXP versions 7.4 GA through update 38

Liferay DXP versions 7.3 GA through update 36

Liferay DXP versions 7.2 GA through fix pack 20

Liferay DXP versions 7.1 GA through fix pack 28

Description:

A reflected cross-site scripting (XSS) issue allows remote attackers to execute arbitrary web script or HTML via the Dispatch name field. This enables the execution of malicious scripts, potentially leading to unauthorized actions on the affected system.

Recommendations:

For Liferay Portal versions 7.1.0 through 7.4.3.38, update to a version outside of this range to mitigate the risk.

For Liferay DXP versions 7.4 GA through update 38, apply update 39 or later.

For Liferay DXP versions 7.3 GA through update 36, apply update 37 or later.

For Liferay DXP versions 7.2 GA through fix pack 20, apply fix pack 21 or later.

For Liferay DXP versions 7.1 GA through fix pack 28, apply fix pack 29 or later.

As a temporary workaround, consider restricting access to the Dispatch name field until a patch is available.