Plattform
java
Komponente
com.liferay.portal:release.portal.bom
Behoben in
7.4.4
7.4.14
7.3.11
7.2.11
7.4.3.14
CVE-2024-26266 describes multiple stored cross-site scripting (XSS) vulnerabilities affecting Liferay Portal versions 7.2.0 through 7.4.3.13, and older unsupported versions, as well as Liferay DXP versions prior to update 10. An attacker can inject arbitrary web script or HTML by crafting a payload within the first, middle, or last name fields of a user creating entries in the Announcement or Alerts widgets. Affected versions include Liferay Portal 7.2 before fix pack 17. The vulnerability is resolved in Liferay Portal 7.4.3.14.
Successful exploitation of CVE-2024-26266 allows an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This can lead to account takeover, data theft (including sensitive information stored within Liferay), and defacement of the Liferay Portal interface. The attacker could potentially steal session cookies, redirect users to malicious websites, or inject malicious content into the portal's pages. Given Liferay's common use in enterprise environments, a successful attack could have a significant impact on business operations and data security. The vulnerability's location within user profile fields makes it relatively easy to exploit, especially for users with administrative privileges.
CVE-2024-26266 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the criticality of the vulnerability suggest a high probability of exploitation. No KEV listing is currently available. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations utilizing Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP versions prior to update 10 are at risk. This includes businesses relying on Liferay for content management, intranet portals, and customer experience platforms. Shared hosting environments where multiple users have access to create content within Liferay are particularly vulnerable.
• linux / server:
journalctl -u liferay-portal | grep -i "XSS"• generic web:
curl -I https://<liferay_portal_url>/ | grep -i "X-XSS-Protection"• wordpress / composer / npm: (Not applicable as Liferay is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable as the vulnerability is not directly related to the database) • windows / supply-chain: (Not applicable as Liferay is not a Windows/supply-chain component)
disclosure
patch
Exploit-Status
EPSS
0.15% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-26266 is to upgrade to Liferay Portal 7.4.3.14 or a later supported version. If upgrading immediately is not possible, consider implementing strict input validation and output encoding on all user-supplied data, particularly within the Announcement and Alerts widgets. While not a complete solution, this can help reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review user roles and permissions to limit the number of users with the ability to create entries in the affected widgets.
Aktualisieren Sie Liferay Portal auf die neueste verfügbare Version. Für Liferay DXP aktualisieren Sie auf Version 7.4 Update 10, 7.3 Update 4 oder 7.2 Fix Pack 17 oder eine spätere Version. Dies behebt die gespeicherten Cross-site Scripting (XSS) Schwachstellen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-26266 is a critical stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP versions allowing attackers to inject malicious scripts through user name fields in widgets.
You are affected if you are running Liferay Portal versions 7.2.0 through 7.4.3.13, or older unsupported versions, and Liferay DXP versions prior to update 10.
Upgrade to Liferay Portal 7.4.3.14 or later, or to Liferay DXP update 10 or later. Consider input validation and WAF rules as temporary mitigations.
No active exploitation has been confirmed, but the CRITICAL severity suggests it is a likely target.
Refer to the official Liferay security advisory: [https://liferay.com/security-advisories/liferay-portal-dxp-74-3-14-and-liferay-dxp-73-4-released](https://liferay.com/security-advisories/liferay-portal-dxp-74-3-14-and-liferay-dxp-73-4-released)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.