Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key` parameter.

Affected Packages

Maven com.liferay.portal:release.portal.bom

Affected versions: 7.4.3.8 (fixed in 7.4.3.98)

Maven com.liferay.portal:release.dxp.bom

Affected versions: 2023.Q3 (fixed in 2023.Q3.5)

Maven com.liferay.portal:release.dxp.bom

Affected versions: 7.4.13.u4 (last affected: 7.4.13.u92)

Related CVEs

CVE-2023-42498

Key Information

GHSA ID

GHSA-73x3-8mrg-5r93

Published

February 21, 2024 3:30 AM

Last Modified

January 28, 2025 3:00 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

com.liferay.portal:release.portal.bom

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.