Liferay Portal XSS Vulnerability

MEDIUM (5.4) No Patch (65 days)
cwe-79apachecross-site-scriptingjavaliferaymavenweb-serverxss

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 13%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Liferay Portal is a Java-based enterprise portal software used by organizations for intranet and extranet applications. The vulnerability discovered in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s First Name, Middle Name, or Last Name text field.

Am I affected?

Affected versions: 7.4.3.111, 2023 If you don't recognise this software, you're probably not affected.

Affected Packages

maven: org.apache.liferay:portal-impl

Affected Products

Apache Software Foundation / Liferay Portal

How to fix

  1. Upgrade to Liferay Portal 7.4.3.111 or later.
  2. For immediate mitigation:
    • Restrict network access to your Liferay Portal instance (firewall it from the public internet)
    • Audit admin account activity for suspicious access patterns
    • Monitor for unauthorized token creation

References