Cross-Site Scripting Vulnerabilities in Liferay Portal
CVE-2024-26266

5.4MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

Summary

Liferay Portal and Liferay DXP contain multiple stored cross-site scripting (XSS) vulnerabilities that affect versions 7.2.0 through 7.4.3.13 and several older unsupported versions. These vulnerabilities allow remote authenticated users to craft malicious payloads that can be injected into user entry fields, specifically targeting the Announcement and Alerts widgets. The vulnerabilities stem from the ability to manipulate the first, middle, or last name text field when creating an entry, enabling potential execution of arbitrary web scripts or HTML. This could pose significant security risks, allowing attackers to execute harmful scripts on behalf of legitimate users.

Affected Version(s)

DXP 7.4.13 <= 7.4.13.u9

DXP 7.3.10 <= 7.3.10-dxp-3

DXP 7.2.10 <= 7.2.10-dxp-16

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 15, 2024