CVE-2023-42496: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP, identified as CVE-2023-42496. The vulnerability affects Liferay Portal versions 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, 7.4 GA through update 92, and 7.3 before update 34. The issue was reported by Amin ACHOUR and was publicly disclosed on February 21, 2024 (Liferay Advisory).

The vulnerability exists on the add assignees to a role page where remote attackers can inject arbitrary web script or HTML through the _com_liferay_roles_admin_web_portlet_RolesAdminPortlet_tabs2 parameter. The vulnerability has received a CVSS v3.1 base score of 9.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) from Liferay Inc., while NIST assigned a score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary web scripts or HTML in the context of the targeted user's browser session. Given the CVSS scoring, the potential impact includes high levels of confidentiality and integrity compromise when successfully exploited (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.98, Liferay DXP 2023.Q3.6, and Liferay DXP 7.3 update 34. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).