CVE-2023-47795: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in the Document and Media widget affecting Liferay Portal versions 7.4.3.18 through 7.4.3.101, Liferay DXP 2023.Q3 before patch 6, and Liferay DXP 7.4 update 18 through 92. The vulnerability was reported by Erwin Krazek and publicly disclosed on February 21, 2024 (Liferay Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and allows remote authenticated users to inject arbitrary web script or HTML through a crafted payload in a document's "Title" text field within the Document and Media widget. The vulnerability has received varying CVSS v3.1 severity ratings: NIST assigned a base score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Liferay Inc. assessed it as Critical with a score of 9.0 and vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of other users' browsers who access the affected document, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been fixed in Liferay Portal version 7.4.3.102 and Liferay DXP 2023.Q3.6. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).