Arbitrary Script Injection Vulnerability in Liferay Portal
CVE-2024-26269

9.6CRITICAL

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

Summary

A cross-site scripting vulnerability exists in the Frontend JS module's portlet.js file within Liferay Portal versions 7.2.0 to 7.4.3.37 and Liferay DXP 7.4 prior to update 38. This vulnerability permits remote attackers to inject malicious web scripts or HTML code via the anchor part of a URL. Attackers exploiting this vulnerability can potentially gain unauthorized access to user session data or perform other malicious actions on behalf of affected users. It is essential for users and administrators of the affected products to implement necessary security updates and patches to mitigate risks associated with this vulnerability.

Affected Version(s)

DXP 7.4.13 <= 7.4.13.u37

DXP 7.3.10 <= 7.3.10.u10

DXP 7.2.10 <= 7.2.10-dxp-19

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 15, 2024