Liferay Portal and Liferay DXP Cross-Site Scripting Vulnerability in Blogs Widget

A cross-site scripting (XSS) vulnerability has been identified in the Blogs widget of Liferay Portal and Liferay DXP. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML by crafting an iframe and inserting it into a blog entry's 'Content' text field. The issue is present in Liferay Portal versions 7.4.0 through 7.4.3.111, as well as older unsupported versions, and in Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions. The vulnerability arises because the Blogs widget in Liferay DXP does not apply the sandbox attribute to iframe elements, enabling remote attackers to access the parent page through scripts and links in the iframe.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to Liferay Portal 7.4.3.112 or Liferay DXP 2024.Q1.1, 2023.Q3.9 to address this vulnerability.