Cross-Site Scripting Vulnerability in Liferay Portal and DXP Products
CVE-2024-11993

4.6MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 17 December 2024

What is CVE-2024-11993?

CVE-2024-11993 is a reflected cross-site scripting (XSS) vulnerability identified in Liferay Portal versions 7.1.0 to 7.4.3.38 and Liferay DXP updates. This vulnerability allows remote attackers to execute arbitrary web scripts or HTML through the Dispatch name field. Successful exploitation could lead to unauthorized actions and data exposure, presenting severe security risks for applications leveraging affected versions of these products. It is crucial for organizations using Liferay technologies to implement security patches promptly and to review their application code for potential exposure to this vulnerability.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u38

Portal 7.4.0 <= 7.4.3.38

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Nov 29, 2024

Credit

Liferay

milCERT AT