Beware of XSS Vulnerability in Liferay Portal and DXP

CVSScvssV3_1: 9.6

Liferay Portal and DXP are popular open source portal and digital experience platforms that were found to have a high severity cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when malicious code is injected into otherwise trusted websites. Attackers can exploit XSS vulnerabilities to steal user cookies and session tokens, hijack user accounts, or spread malware.

The vulnerability in Liferay Portal and DXP exists in the Export for Translation page. By specially crafting the “_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect” parameter, an attacker could embed malicious JavaScript code that would be executed by users’ browsers whenever they visit the vulnerable page. This would allow the attacker to carry out XSS attacks like stealing login credentials or injecting malware.

To protect themselves, users should update their Liferay Portal or DXP installation to the latest versions that have addressed this vulnerability. Regularly applying software updates is important as it patches security issues. Users should also be cautious of any suspicious or unsolicited links and avoid clicking on them. Using an ad blocker and anti-malware software can provide additional protection by preventing malicious scripts from being loaded.