Description
The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL.
Remediation
References
Related Vulnerabilities
Ruby 7PK - Security Features Vulnerability (CVE-2015-3900)
WordPress Plugin Ultimate Gift Cards For WooCommerce Cross-Site Request Forgery (2.1.1)
WordPress Plugin Events Calendar for Google Local File Inclusion (2.1.0)
MySQL CVE-2018-3156 Vulnerability (CVE-2018-3156)
Twisted Web HTTP Server Direct Request ('Forced Browsing') Vulnerability (CVE-2016-1000111)