CVE-2023-44311: 
Java vulnerability analysis and mitigation

Multiple reflected cross-site scripting (XSS) vulnerabilities were discovered in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89. This vulnerability, identified as CVE-2023-44311, was discovered as an incomplete fix for a previous vulnerability (CVE-2023-33941) and was publicly disclosed on October 17, 2023 (NVD, Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through two parameters: the 'code' parameter and the 'error' parameter in the OAuth2ProviderApplicationRedirect class. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) according to Liferay Inc., while NIST assessed it with a CVSS score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of the affected application, potentially leading to the compromise of user data, session hijacking, or other malicious actions typical of XSS attacks (CERT-EU).

Users running affected versions should upgrade to Liferay DXP 7.4 update 90 or Liferay Portal 7.4.3.90, which contain fixes for this vulnerability (Liferay Advisory).