Platform
java
Component
frontend-js-module
Fixed in
7.4.4
7.4.14
7.3.11
7.2.11
CVE-2024-26269 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in the Frontend JS module of Liferay Portal. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML, potentially compromising user accounts and system integrity. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.3.37, as well as Liferay DXP versions prior to update 38. A fix is available in Liferay Portal 7.4.4.
Successful exploitation of CVE-2024-26269 allows an attacker to inject malicious JavaScript code into a Liferay Portal page viewed by other users. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the portal. The attacker could potentially gain complete control over user accounts, access sensitive data, and even compromise the entire Liferay instance. The anchor (hash) portion of a URL is the attack vector, making it relatively easy to craft malicious links and distribute them to unsuspecting users. This vulnerability is particularly concerning given Liferay's widespread use in enterprise environments, where sensitive data and critical business processes are often managed.
CVE-2024-26269 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-26269 is to upgrade Liferay Portal to version 7.4.4 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and output encoding on the affected portlet.js component can help reduce the attack surface, though this is not a substitute for patching. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly unusual JavaScript execution patterns or attempts to access sensitive data.
Update Liferay Portal to the latest available version or apply the corresponding patches provided by Liferay. Refer to the Liferay security advisory for detailed instructions on how to apply the necessary updates or patches. This will resolve the XSS vulnerability in the Frontend JS module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-26269 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal's Frontend JS module, allowing attackers to inject malicious scripts via URL hashes.
Yes, if you are running Liferay Portal versions 7.2.0–7.4.3.37 or Liferay DXP versions prior to update 38, you are affected by this vulnerability.
Upgrade Liferay Portal to version 7.4.4 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the official Liferay security advisory for detailed information and mitigation guidance: [https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released](https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.