CVE-2023-42498: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in the Language Override edit screen affecting Liferay Portal versions 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 4 through 92. The vulnerability was reported by Amin ACHOUR and publicly disclosed on February 21, 2024 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_key parameter. The severity of this vulnerability has been assessed with two different CVSS v3.1 scores: NIST rates it as MEDIUM (6.1) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Liferay Inc. rates it as CRITICAL (9.6) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of the user's browser session, potentially leading to theft of sensitive information, session hijacking, or other malicious actions depending on the context and privileges of the affected user (NVD).

The vulnerability has been fixed in Liferay Portal version 7.4.3.98 and Liferay DXP 2023.Q3.5. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).