CVE-2022-38902: 
Liferay Portal vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in Liferay Digital Experience Platform 7.3.10 SP3's Blog module, specifically in the add new topic functionality. The vulnerability, identified as CVE-2022-38902, allows remote attackers to inject arbitrary JavaScript script or HTML into the name field of newly created topics (NVD, CVE).

The vulnerability affects the name field parameter 'comliferayassetcategoriesadminwebportletAssetCategoriesAdminPortlettitlede_DE' in the Content & Data > Blogs module. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Offensity Blog, NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers when they view categories while assigning them to specified assets. This could potentially lead to privilege escalation and unauthorized actions being performed under the victim's user context (Offensity Blog).

The vulnerability has been addressed and fixed in Liferay Portal 7.4 GA4 (7.4.3.4) and later versions. Users are advised to upgrade to the patched version to mitigate this security risk (Offensity Blog).